traq
05-25-2009, 04:55 AM
I have a question:
I'm working on a script to upload files to a site.
How secure would you consider this to be, both in terms of the file type (in this case, jpg, gif, and png images only) and of user permission (the password)?
<?php
session_start();
if(!isset($_POST['upload'])) {
echo '
<form name="upload" enctype="multipart/form-data" method="POST" action="'.$_SERVER['REQUEST_URI'].'">
File to Upload: <input type="file" name="file" size="13" value="">
Enter Password: <input type="password" name="pass">
<input type="submit" name="upload" value="Upload">
</form>
';
} else {
$pass = $_POST['pass'];
if ($pass == "secret") {
$ok = array('image/gif', 'image/jpeg', 'image/jpg', 'image/png');
$typeok = false;
foreach($ok as $type){
if ($type == $_FILES['file']['type']){
$typeok = true;
break;
}
}
if ($typeok) {
$uploadpath = 'uploads/';
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$tmpname_file = $_FILES['file']['tmp_name'];
if($filesize > '5000000') {
echo "File is too large";
} else {
if(move_uploaded_file($tmpname_file, "$uploadpath$filename")) {
echo "Successful upload to: ".$uploadpath.$filename."<br>
<img src=\"".$uploadpath.$filename."\">";
} else {
echo "Upload Failed";
}
}
}
} else {
echo "Incorrect Password";
}
}
?>
I'm working on a script to upload files to a site.
How secure would you consider this to be, both in terms of the file type (in this case, jpg, gif, and png images only) and of user permission (the password)?
<?php
session_start();
if(!isset($_POST['upload'])) {
echo '
<form name="upload" enctype="multipart/form-data" method="POST" action="'.$_SERVER['REQUEST_URI'].'">
File to Upload: <input type="file" name="file" size="13" value="">
Enter Password: <input type="password" name="pass">
<input type="submit" name="upload" value="Upload">
</form>
';
} else {
$pass = $_POST['pass'];
if ($pass == "secret") {
$ok = array('image/gif', 'image/jpeg', 'image/jpg', 'image/png');
$typeok = false;
foreach($ok as $type){
if ($type == $_FILES['file']['type']){
$typeok = true;
break;
}
}
if ($typeok) {
$uploadpath = 'uploads/';
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$tmpname_file = $_FILES['file']['tmp_name'];
if($filesize > '5000000') {
echo "File is too large";
} else {
if(move_uploaded_file($tmpname_file, "$uploadpath$filename")) {
echo "Successful upload to: ".$uploadpath.$filename."<br>
<img src=\"".$uploadpath.$filename."\">";
} else {
echo "Upload Failed";
}
}
}
} else {
echo "Incorrect Password";
}
}
?>