I just need a simple PHP upload script that will allow users to upload files of one specific extension. I found this tutorial here: http://www.zymic.com/tutorials/php/creating-a-file-upload-form-with-php/ This is perfect, but the only problem is the script won't allow users to upload files with a period before the extension, e.g., 'Test.test.png'. Here's my PHP code: <?php // Configuration - Your Options $allowed_filetypes = array('.png'); // These will be the types of file that will pass the validation. $max_filesize = 2000000; // Maximum filesize in BYTES (currently 0.5MB). $upload_path = './files/'; // The place the files will be uploaded to (currently a 'files' directory). $filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension). $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename. // Check if the filetype is allowed, if not DIE and inform the user. if(!in_array($ext,$allowed_filetypes)) die('The file you attempted to upload is not allowed.'); // Now check the filesize, if it is too large then DIE and inform the user. if(filesize($_FILES['userfile']['tmp_name']) > $max_filesize) die('The file you attempted to upload is too large.'); // Check if we can upload to the specified path, if not DIE and inform the user. if(!is_writable($upload_path)) die('You cannot upload to the specified directory, please CHMOD it to 777.'); // Upload the file to your specified path. if(move_uploaded_file($_FILES['userfile']['tmp_name'],$upload_path . $filename)) echo 'Your file upload was successful, view the file <a href="' . $upload_path . $filename . '" title="Your File">here</a>'; // It worked. else echo 'There was an error during the file upload. Please try again.'; // It failed :(. ?> PHP: Does anyone know how to fix this? I'll give reputation in return for help.
strpos($filename,'.') PHP: searches for the first occurrence of a period in a filename. So everything after the first period will be considered as the extension. Replace it with strrpos($filename,'.') PHP: to find the position of the last occurrence of a period. Also, for the security reasons, you may wish to check what filename does not contain the slashes and double periods. Otherwise, the users will be able to specify some relative path (../../some.png) and upload files into any directory of your web-server.
Oh okay. Fixed. THANK YOU so much. Repped. I don't know how I'd go about running a security check for checking files containing slashes and periods. I searched Google, but I couldn't find anything specific to your suggestion. Would you be able to help me out? I have the upload script and files folder inside their own folder inside public_html on my web-server. Could you tell me how I'd go about using this script to upload files to another folder on my web-server?
if(strpos($filename,'..') || strpos($filename,'/')) die('The file you attempted to upload is not allowed.'); PHP:
Should I just make a new line for that check or replace it with: if(!in_array($ext,$allowed_filetypes)) die('The file you attempted to upload is not allowed.'); PHP:
The code, you have specified, is checking for allowed extensions. So you need to add a new check or combine those two checks: if(strpos($filename,'..') || strpos($filename,'/') || (!in_array($ext,$allowed_filetypes))) die('The file you attempted to upload is not allowed.'); PHP:
Okay, thanks! I figured that out after looking at the code a little more. I decided to make a new line so I can be more specific with the error message. // Check for files that contain slashes and double periods, if so DIE and inform the user. if(strpos($filename,'..') || strpos($filename,'/')) die('Filenames with slashes and double periods are not allowed.'); PHP: I was also wondering if there is a way I can stop anything from happening if the 'Upload' button is clicked without a file selected. Is that possible?
Yes, you can use JavaScript for this. Something like this: uploadform.onsubmit=function(){ if(uploadform.fileName.value==''){ alert("Please select a file."); uploadform.fileName.focus(); return false; } } Code (markup):
check the code here: http://webmasterpals.com/showthread.php?t=1753 it has some good implementation for uploads.