View Full Version : Upload Form Problem

11-03-2005, 05:30 PM
Hey everyone :)

I stuck a validation script for an upload form so that you can only upload images. It works when you try to upload a file which is not an image but when you upload a image it says

Possible file upload attack! Here's some debugging info:
[uploadfile] => Array
[name] => abandongame button.gif
[type] => image/gif
[tmp_name] => /tmp/phpGEtdHo
[error] => 0
[size] => 1062


Here's the code for the upload form

<form enctype="multipart/form-data" action="upload.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1048576" />
<input type=file name=uploadfile>
<input type=button name="Submit" value="Submit" onclick="LimitAttach(this.form, this.form.uploadfile.value)">

The Upload File

$uploadDir = '/home/abandonw/public_html/submit/screenshots/boxcovers/';
$uploadFile = $uploadDir . $_FILES['userfile']['name'];
print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadFile))
print "The box cover was succesfully uploaded. ";
print "Here's some more debugging info:\n";
print "Possible file upload attack! Here's some debugging info:\n";
print "</pre>";

and here's the actual script from the Javascript Source

<!-- Original: ArjoGod, Shauna Merritt -->
<!-- Modified By: Ronnie T. Moore, Editor -->

<!-- This script and many more are available free online at -->
<!-- The JavaScript Source!! http://javascript.internet.com -->

<!-- Begin
extArray = new Array(".gif", ".jpg", ".png");
function LimitAttach(form, file) {
allowSubmit = false;
if (!file) return;
while (file.indexOf("\\") != -1)
file = file.slice(file.indexOf("\\") + 1);
ext = file.slice(file.indexOf(".")).toLowerCase();
for (var i = 0; i < extArray.length; i++) {
if (extArray[i] == ext) { allowSubmit = true; break; }
if (allowSubmit) form.submit();
alert("Please only upload files that end in types: "
+ (extArray.join(" ")) + "\nPlease select a new "
+ "file to upload and submit again.");
// End -->

any help apprechiated

Tom Evans

11-03-2005, 05:38 PM
Using that there Javascript to validate it is a bad idea. Try checking if the image type starts with "image/" in the PHP code. This is also more reliable than checking by extension.

11-03-2005, 06:41 PM

Sorry but as i'm a bit of a newbie to PHP where would I specify the image type in the PHP code


Tom Evans :)

11-04-2005, 04:32 AM
You don't specify the image type, you check the image type.

if(strpos($_FILES['userfile']['type'], "image/") === 0) {
// It's an image. Handle the rest of the upload process.
} else {
// It isn't an image. Die with an error.