Uploading files to server

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
karl92
-


Joined: 29 Jan 2008
Posts: 2

PostPosted: Thu Feb 28, 2008 5:49 pm    Post subject: Uploading files to server Reply with quote

Hey all, i know im probly in the wrong place to be asking this but its always worth a shot. i want to add an upload form to my website which is hosted by abyss webserver. basicaly i want to allow people to upload pictured onto my server/pc from the internet. could any body tell me how to go about this please? cheers
Back to top View user's profile Send private message Send e-mail MSN Messenger
pkSML
-


Joined: 29 May 2006
Posts: 959
Location: Michigan, USA

PostPosted: Thu Feb 28, 2008 10:34 pm    Post subject: Reply with quote

http://pksml.net/search/php+upload+pictures+script - many results here

http://www.webdeveloper.com/forum/showthread.php?t=101466 - Nice!
http://www.aprelium.com/forum/viewtopic.php?t=12427 - Simple

Neither of these scripts do any validation regarding whether it's really an image, but they give you the basics of PHP uploading.

http://pksml.net/search/php+upload+image+verify - Make sure upload is an image
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Sat Mar 01, 2008 2:17 am    Post subject: Reply with quote

On my server, I run a strip_tag over the files uploaded (some pictures won't work because of this)...But this will go a long way in preventing C99 scripts (external shells) from getting uploaded.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
rrinc
-


Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA

PostPosted: Sat Mar 01, 2008 2:38 am    Post subject: Reply with quote

I can't see any problems with that. It should work to prevent PHP scripts and such.
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados.
Back to top View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
pkSML
-


Joined: 29 May 2006
Posts: 959
Location: Michigan, USA

PostPosted: Sat Mar 01, 2008 3:44 pm    Post subject: Reply with quote

Toasty wrote:
On my server, I run a strip_tag over the files uploaded (some pictures won't work because of this)...But this will go a long way in preventing C99 scripts (external shells) from getting uploaded.


I wonder if you could use preg_replace_all instead of strip_tags and take out all occurrences of the following from the uploaded image:
<?
<javascript
<object
<applet

That should cover all your bases. (No guarantees, though.)
--------------------------------

Another idea: let users upload their pics to a directory outside of the docroot. Don't fiddle with their upload. Then have PHP access the pic and perform the strip_tags in real-time before spitting the image out.

This would enable you to check them manually for those pictures that won't work for you right now.
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Sun Mar 02, 2008 9:11 am    Post subject: Reply with quote

^Him^ wrote:
Another idea: let users upload their pics to a directory outside of the docroot. Don't fiddle with their upload. Then have PHP access the pic and perform the strip_tags in real-time before spitting the image out.


That's exactly what I do...

Example:
$x = file_get_contents("file.png");
$x = strip_tags($x);
echo header("IMAGE/PNG"); // I think this is what it is
echo $x;


As for the preg_replace...I haven't tried it, but I am a little worried about an attack like this:

Code:
<scr<script>ipt>


As you can see, it would remove the middle tag in the process, and then create the previously broken tag into a tag.

I feel strip_tags is the safest. I'm sure there's better ways to do it, but seeing as my site uses that script for simple avatar uploads, I don't think it's a huge threat when an avatar doesn't work because strip_tags corrupted something within the image.
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group