Since my upload script has no extension check, i came up with an idea. Basically to block php file uploading. Lines in red were added, but the script always commits suicide saying "pede raisk". Even with jpg, png etc. files. <?php session_start(); include ('dbc.php'); if((!empty($_FILES["uploaded_file"])) && ($_FILES['uploaded_file']['error'] == 0)) { $filename = str_replace(array('Ö', 'Ä', 'Ü', 'Õ', 'ö', 'ä', 'ü', 'õ', ' '), array('O', '2', 'Y', '6', 'o', '2', 'y', '6', '_'), $_FILES["uploaded_file"]["name"]); [COLOR="Red"][B]$ext = substr($filename, strrpos($filename, '.') + 1); if ($ext = "php"){die("Pede raisk");}[/B][/COLOR] if ($_FILES["uploaded_file"]["size"] < 2000000) { $newname = dirname(__FILE__).'/images/backgrounds/'.$filename; if (!file_exists($newname)) { if ((move_uploaded_file($_FILES['uploaded_file']['tmp_name'],$newname))) { chmod($newname, 0777); $sentfile = $_FILES['uploaded_file']['name']; mysql_query("UPDATE users SET background = '$sentfile' WHERE user_email = '$_SESSION[user]'") or die(mysql_error()); header("Location: myaccount.php?msg=Pilt on vastuvõetud ning taustapilt edukalt muudetud."); } } else { header("Location: myaccount.php?msg=Antud failinimi on juba kasutusel."); } } } else { header("Location: myaccount.php?msg=Faili ei saadetud."); } ?> Code (markup):
if ($ext = "php"){die("Pede raisk");} What you are doing in that line is an assignment operator rather than a comparison operator so it will always evaluate to true. What you actually want is if ($ext == "php"){die("Pede raisk");} I've put the extra = in red just so you can see it. Its a common error in languages that use double equals as a comparison operator. Jen
http://www.crivionweb.com/phpblog/php-tutorial-get-file-extension/ for extension checking or just make = into == like if ($ext == "php"){die("Pede raisk");}