Browse computer - How is it done?

[Medyman]

Hey all..

I just finished up a website and am adding some additional functionality to the client admin panel.

The website requires the client to upload some images among other things. What I wanted to do is to add functionality where he could browse his PC and choose which file to upload that way.

(If i'm making no sense, I mean something like the browse button here : http://imageshack.us/)

[james438]

This is just an old file I happen to have. Place the first code in a script called picform.php

PHP Code:

<html>
<head><title>File Upload</title></head>
<body>
<ol><li>Enter the file name of the product picture you want
        to upload or use the browse button 
        to navigate to the picture file.</li>
    <li>When the path to the picture file shows in the text
        field, click the Upload Picture button.</li>
</ol> 
<div align="center"><hr>
<form enctype="multipart/form-data" 
        action="uploadpic.php" method="POST">
  <input type="hidden" name="MAX_FILE_SIZE" value="500000">
  <input type="file" name="pix" size="60">
  <p><input type="submit" name="Upload" 
        value="Upload Picture">
</form>
</body></html> 


and this one in a file called uploadpic.php.

PHP Code:

<?php
  if(!isset($_POST['Upload']))
  {
    include("picform.php");
  } # endif
  else
  {
    if($_FILES['pix']['tmp_name'] == "none")
    {
      echo "<b>File did not successfully upload. Check the 
            file size. File must be less than 500K.<br>";
      include("picform.php");
      exit();
    }
    if(!ereg("image",$_FILES['pix']['type']))
    {
      echo "<b>File is not a picture. Please try another 
            file.</b><br>";
      include("picform.php");
      exit();
    }
    else
    {
      $destination = $_FILES['pix']['name'];
      $temp_file = $_FILES['pix']['tmp_name'];
      move_uploaded_file($temp_file,$destination);
      echo "<p><b>The file has successfully uploaded:</b>
            {$_FILES['pix']['name']} 
            ({$_FILES['pix']['size']})</p>"; 
    }
  }
?>

Place these two files in the folder that you want the user to be able to upload the files to. The only problems is that I didn't put password protection on either of these files, which you will want to do and I have not tested it in quite a while, so you might be able to upload other files besides pics. You may also want to change the limit of the file size. Either way this should give you a start.

[Twey]

I have not tested it in quite a while, so you might be able to upload other files besides pics.

Indeed so. You check the file type rather than the file extension, and rely on the user supplying the real file type with the request at that, so a user could fairly easily upload a PHP script and use it to take over your server.

[Medyman]

How would I go about fixing that vunerability, Twey (or anyone else)?

[Twey]

Code:

function or_f($a, $b) {
  return $a || $b;
}

function file_has_extension($fn, $ext) {
  if(is_array($ext))
    return array_reduce(array_map(create_function('$a', 'return file_has_extension(\'' . $fn . '\', $a);'), $ext), 'or_f', false);
  else
    return strpos(strtolower($fn), '.' . strtolower($ext)) === strlen($fn) - strlen($ext) + 1;
}

$image_extensions = array(
  'png',
  'jpg',
  'jpeg',
  'gif'
);

and instead of:

Code:

if(!ereg("image",$_FILES['pix']['type']))

Use:

Code:

if(file_has_extension($_FILES['pix']['name'], $image_extensions))

[james438]

I did that, but now I get

Code:

Fatal error: Call to undefined function: stripos()

when I upload any file.

[Twey]

Whoops, PHP5 only. Modified to use strtolower() instead.

[james438]

Still got the same error, but it only took about 30 seconds to convert to php5, so I did that . PHP 4 is becoming obsolete anyway.

[Twey]

Still got the same error

Hm, really? There's no mention of stripos() any more...

but it only took about 30 seconds to convert to php5, so I did that . PHP 4 is becoming obsolete anyway.

Agreed

[james438]

Too lazy to look it all up, but in your above function shouldn't the file extensions all be converted to lowercase?

I'll look up create_function, or_f, function, array_map, array_reduce, is_array later