File upload

Wratox1

Member
Reaction score
22
im making a site where you can watch flashfiles(.swf), and i made an upload page where you can upload .swf-files and i have this code to upload the file:

PHP:
<?php
// Configuration - Your Options
      $allowed_filetypes = array('.swf'); // These will be the types of file that will pass the validation.
      $max_filesize = 5242880; // Maximum filesize in BYTES (currently 5MB).
      $upload_path = './flash/'; // The place the files will be uploaded to (currently a 'files' directory).
	  $count = count(glob("$upload_path/*.*"));
	
	$filename = $_FILES['file']['name']; // Get the name of the file (including file extension).
	$ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename.
 
	// Check if the filetype is allowed, if not DIE and inform the user.
	if(!in_array($ext,$allowed_filetypes))
      die('The file you attempted to upload is not allowed.');
 
	// Now check the filesize, if it is too large then DIE and inform the user.
	if(filesize($_FILES['file']['tmp_name']) > $max_filesize)
      die('The file you attempted to upload is too large.');
 
	// Check if we can upload to the specified path, if not DIE and inform the user.
	if(!is_writable($upload_path))
      die('You cannot upload to the specified directory, please CHMOD it to 777.');
	
	$count += 1;
	$name = "$count";
	
	if (move_uploaded_file($_FILES['file']['tmp_name'], $upload_path.$name.'.swf'))
	{
		die('File is valid, and was successfully uploaded.');
	}
	else
	{
		die('Possible file upload attack! <br> ' . $_FILES['file']['name'] . '<br>' . filesize($_FILES['file']['tmp_name']));
	}
 

?>

can i make it safer against upload-attacks?

//Wratox
 

UndeadDragon

Super Moderator
Reaction score
448
What sort of upload attacks do you want protecting against? You are already limiting the files to .swf files, which means they can't attach .exes or anything.
 

Wratox1

Member
Reaction score
22
i want to protect against most upload attacks, one i had in mind was if someone uploaded a file like this: "filename.php.swf", am i still protected against that?
 

UndeadDragon

Super Moderator
Reaction score
448
Yes, as that will still work as a .swf file, unless they somehow managed to change the file extension. If you want to be 100% sure, you can check the file extension before displaying it on the page, which means it will definately be a .swf when you actually use it.
 

GetTriggerUnit-

DogEntrepreneur
Reaction score
129
I know the extension might be wrong, but the mine type is usually right. $_FILES['myFileInput']['mime'] == 'application/x-shockwave-flash'
 

Slapshot136

Divide et impera
Reaction score
471
maybe also limit special characters and allow only one . (or auto re-name/remove extra stuff)
 
General chit-chat
Help Users
  • No one is chatting at the moment.

      The Helper Discord

      Members online

      Affiliates

      Hive Workshop NUON Dome World Editor Tutorials

      Network Sponsors

      Apex Steel Pipe - Buys and sells Steel Pipe.
      Top