Please have a look at my code and see if you think this is good enough for a website which needs good to very good security (but I'm not a banking site so dont need/expect Outstanding security and workload) Users will upload profile photos and other photos. This is all my code to allow a user to upload photos. $filenametouse = $_FILES["formname"]["name"]; $file_basename = substr($filenametouse, 0, strripos($filenametouse, '.')); // strip extention out $file_ext = substr($filenametouse, strripos($filenametouse, '.')); //extension only $createfoldername="/home/accountname/public_html/photos/".gmdate("my")."/";//stored in photos/0608/ for this months uploads if(is_dir($createfoldername)) {} else{mkdir($createfoldername, 0777);} $pathtosaveto = $createfoldername.time().rand(10000000000,99999999999).$file_ext; if ((($_FILES["formname"]["type"] == "image/tif") || ($_FILES["formname"]["type"] == "image/tiff") || ($_FILES["formname"]["type"] == "image/jpeg") || ($_FILES["formname"]["type"] == "image/pjpeg") || ($_FILES["formname"]["type"] == "image/gif") || ($_FILES["formname"]["type"] == "image/jpg") || ($_FILES["formname"]["type"] == "image/png") || ($_FILES["formname"]["type"] == "image/bmp")) && ($_FILES["formname"]["size"] < 10737418240))//The size, in bytes, of the uploaded file. //allow up to 10mb file upload { if ($_FILES["formname"]["error"] > 0) { echo "Return Code: " . $_FILES["formname"]["error"] . "<br />";exit;//The error code associated with this file upload. } else { echo "Upload: " . $_FILES["formname"]["name"] . "<br />"; echo "Type: " . $_FILES["formname"]["type"] . "<br />"; echo "Size: " . ($_FILES["formname"]["size"] / 1024) . " Kb<br />"; echo "Temp file: " . $_FILES["formname"]["tmp_name"] . "<br />"; if (file_exists($pathtosaveto)) { echo $_FILES["formname"]["name"] . " already exists. "; } else{ if(move_uploaded_file($_FILES["formname"]['tmp_name'], $pathtosaveto)) { echo "The file named '". $file_basename. "' has been uploaded"; } else{ echo "There was an error uploading the file, please try again!";} } } } else { echo "Invalid file type or size."; exit; }
try to use the code tag and see what i've alterd. <?php $filenametouse = $_FILES["formname"]["name"]; $file_basename = substr($filenametouse, 0, strripos($filenametouse, '.')); // strip extention out $file_ext = substr($filenametouse, strripos($filenametouse, '.')); //extension only $createfoldername="/home/accountname/public_html/photos/" . gmdate("my")."/";//stored in photos/0608/ for this months uploads if(!is_dir($createfoldername)) { mkdir($createfoldername, 0777); } $pathtosaveto = $createfoldername . time() . rand(10000000000,99999999999) . $file_ext; if ((($_FILES["formname"]["type"] == "image/tif") || ($_FILES["formname"]["type"] == "image/tiff") || ($_FILES["formname"]["type"] == "image/jpeg") || ($_FILES["formname"]["type"] == "image/pjpeg") || ($_FILES["formname"]["type"] == "image/gif") || ($_FILES["formname"]["type"] == "image/jpg") || ($_FILES["formname"]["type"] == "image/png") || ($_FILES["formname"]["type"] == "image/bmp")) && ($_FILES["formname"]["size"] < 10737418240))//The size, in bytes, of the uploaded file. //allow up to 10mb file upload { if ($_FILES["formname"]["error"] > 0) { echo "Return Code: " . $_FILES["formname"]["error"] . "<br />";exit;//The error code associated with this file upload. } else { echo "Upload: " . $_FILES["formname"]["name"] . "<br />"; echo "Type: " . $_FILES["formname"]["type"] . "<br />"; echo "Size: " . ($_FILES["formname"]["size"] / 1024) . " Kb<br />"; echo "Temp file: " . $_FILES["formname"]["tmp_name"] . "<br />"; if (file_exists($pathtosaveto)) { echo $_FILES["formname"]["name"] . " already exists. "; } else { if (move_uploaded_file($_FILES["formname"]['tmp_name'], $pathtosaveto)) { echo "The file named '" . $file_basename . "' has been uploaded"; } else { echo "There was an error uploading the file, please try again!"; } } } } else { echo "Invalid file type or size."; exit; } ?> Code (markup): try to use pathinfo for extracting extension, and if you are only reading files by php then change the extension to a random number instead of current extension. It's more security proof!!!
For PHP you should use the [ PHP ] tags... <?php $filenametouse = $_FILES["formname"]["name"]; $file_basename = substr($filenametouse, 0, strripos($filenametouse, '.')); // strip extention out $file_ext = substr($filenametouse, strripos($filenametouse, '.')); //extension only $createfoldername="/home/accountname/public_html/photos/" . gmdate("my")."/";//stored in photos/0608/ for this months uploads if(!is_dir($createfoldername)) { mkdir($createfoldername, 0777); } $pathtosaveto = $createfoldername . time() . rand(10000000000,99999999999) . $file_ext; if ((($_FILES["formname"]["type"] == "image/tif") || ($_FILES["formname"]["type"] == "image/tiff") || ($_FILES["formname"]["type"] == "image/jpeg") || ($_FILES["formname"]["type"] == "image/pjpeg") || ($_FILES["formname"]["type"] == "image/gif") || ($_FILES["formname"]["type"] == "image/jpg") || ($_FILES["formname"]["type"] == "image/png") || ($_FILES["formname"]["type"] == "image/bmp")) && ($_FILES["formname"]["size"] < 10737418240))//The size, in bytes, of the uploaded file. //allow up to 10mb file upload { if ($_FILES["formname"]["error"] > 0) { echo "Return Code: " . $_FILES["formname"]["error"] . "<br />";exit;//The error code associated with this file upload. } else { echo "Upload: " . $_FILES["formname"]["name"] . "<br />"; echo "Type: " . $_FILES["formname"]["type"] . "<br />"; echo "Size: " . ($_FILES["formname"]["size"] / 1024) . " Kb<br />"; echo "Temp file: " . $_FILES["formname"]["tmp_name"] . "<br />"; if (file_exists($pathtosaveto)) { echo $_FILES["formname"]["name"] . " already exists. "; } else { if (move_uploaded_file($_FILES["formname"]['tmp_name'], $pathtosaveto)) { echo "The file named '" . $file_basename . "' has been uploaded"; } else { echo "There was an error uploading the file, please try again!"; } } } } else { echo "Invalid file type or size."; exit; } ?> PHP: