Results 1 to 3 of 3

Thread: how secure? (file upload script)

  1. #1
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default how secure? (file upload script)

    I have a question:
    I'm working on a script to upload files to a site.
    How secure would you consider this to be, both in terms of the file type (in this case, jpg, gif, and png images only) and of user permission (the password)?
    PHP Code:
    <?php
    session_start
    ();
    if(!isset(
    $_POST['upload'])) {
        echo 
    '
            <form name="upload" enctype="multipart/form-data" method="POST" action="'
    .$_SERVER['REQUEST_URI'].'">
            File to Upload: <input type="file" name="file" size="13" value="">
            Enter Password: <input type="password" name="pass">
            <input type="submit" name="upload" value="Upload">
            </form>
            '
    ;
    } else {
        
    $pass $_POST['pass'];
        if (
    $pass == "secret") {
            
    $ok = array('image/gif''image/jpeg''image/jpg''image/png');
            
    $typeok false;
            foreach(
    $ok as $type){
                if (
    $type == $_FILES['file']['type']){
                    
    $typeok true;
                    break;
                }
            }
            if (
    $typeok) {
                
    $uploadpath 'uploads/';
                
    $filename $_FILES['file']['name'];
                
    $filesize $_FILES['file']['size'];
                
    $tmpname_file $_FILES['file']['tmp_name'];
                if(
    $filesize '5000000') {
                    echo 
    "File is too large";
                } else {
                    if(
    move_uploaded_file($tmpname_file"$uploadpath$filename")) {
                        echo 
    "Successful upload to: ".$uploadpath.$filename."<br>
                            <img src=\""
    .$uploadpath.$filename."\">";
                    } else {
                        echo 
    "Upload Failed";
                    }
                }
            }
        } else {
            echo 
    "Incorrect Password";
        }
      }
    ?>
    Last edited by traq; 05-25-2009 at 06:36 PM.

  2. #2
    Join Date
    Apr 2009
    Location
    Cognac, France
    Posts
    400
    Thanks
    2
    Thanked 57 Times in 57 Posts

    Default

    Depends on the number of people who will use it, if you have many people and one password then the risk of password 'leakage' is higher.

    I prefer to have a password table in which I keep name and password.

    This way everybody can have a unique password and you can create a password protected function to regularly update the passwords.

    If it is for a single user, then I think it is reasonably secure

  3. #3
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    yes, it's just for a single user.
    (Actually, it's just an experiment. Next, I'm working on pulling user/password combinations from a database. With this script -with the password actually in the script- I've already found a way to get it; by storing the password in a database I think it'll be harder.)
    Is the mime/type check fairly certain? How possible would it be to bypass and upload a file I didn't want?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •