I've got an upload page that allows several features and I've got a few questions.
Firstly, I allow text/html files to be uploaded, but half the time when trying to upload html files users find they get errors saying that they are trying to upload a text/plain file.
I tried allowing text/plain files to be uploaded, but then php files can be uploaded, which isn't something I want!
Has anyone any idea how to stop people uploading php files, but still being able to upload all htm/html files?
Also, I allow application/x-javascript files, ie .js files to be uploaded currently, not sure if this is a security problem. Can anything dangerous (ie db connection tools?) be written in js?
Finally, I've got a feature that allows users to modify files to limit them to users who are logged in. It works by adding some PHP code to the top of the file and changing its extention so that PHP will execute it.
To make sure people can't upload files like...
test.html
<?
mysql_pconnect ...
?>
and then use that to run their own php scripts I have a function that checks for any <? or ?> tags in their original HTML file, using fgetc, ie using $char[] as the array of characters...
for ($i=0; $i<=count($char); $i++) {
if (($char[$i] == "<") && ($char[$i+1] == "?")) {
$illegal++;
}
elseif (($char[$i] == "?") && ($char[$i+1] == ">")) {
$illegal++;
}
} //end for
Can anyone see any problems with security on that count? Could that be circumvented (using the < things doesn't work).
Also, are there any other "tags" that are PHP specific, or are only <? and ?> php specific?
Thanks for any help!
