Unsecure Upload In PHP

ghost

0 0

17 years ago

Hi, my code for my uploading is unsecure, how would I fix it so that I can prohibit files with certain extensions to be uploaded?

&lt;?php
$target = &quot;uploaded/&quot;;
$target = $target . basename( $_FILES[&#39;uploaded&#39;][&#39;name&#39;]) ;
$ok=1;
if(move_uploaded_file($_FILES[&#39;uploaded&#39;][&#39;tmp_name&#39;], $target))
{
echo &quot;The file &quot;. basename( $_FILES[&#39;uploadedfile&#39;][&#39;name&#39;]). &quot; has been uploaded to &lt;a href=&#39;uploaded/&#39;&gt;here.&lt;/a&gt;&quot;;
}
else {
echo &quot;Sorry, there was a problem uploading your file.&quot;;
}
?&gt;```

ghost

0 0

17 years ago

if(strpos(basename($_FILES[&#39;uploaded&#39;][&#39;name&#39;],&quot;.php&quot;)||
strpos(basename($_FILES[&#39;uploaded&#39;][&#39;name&#39;],&quot;.htm&quot;)||
strpos(basename($_FILES[&#39;uploaded&#39;][&#39;name&#39;],&quot;.html&quot;)||
strpos(basename($_FILES[&#39;uploaded&#39;][&#39;name&#39;],&quot;.asp&quot;)||
strpos(basename($_FILES[&#39;uploaded&#39;][&#39;name&#39;],&quot;.aspx&quot;)||
strpos(basename($_FILES[&#39;uploaded&#39;][&#39;name&#39;],&quot;.exe&quot;)) {
die(&quot;invalid file extension!&quot;);
}

you could do that, or use the same check to make sure the file ext. falls within a certain range of extensions.

Uh oh. Looks like your using an ad blocker.

ghost

ghost