excluding .php files in this code...

PressureDrop

I am using this upload utility and am also using a directory listing php in the uplaod folder (so there is an index.php in the upload folder that this utility uses).
My problem is this; I want to use this code below but have it not show any .php files in the list (currently it shows the index.php which is in the files folder, thus the index.php could be deleted by the upload utility). Could someone tell me what to edit/add to this code to prevent it from listing/renaming/deleting index.php? (I have the delete all option #'ed out at the moment)

<?php

require("uplConfig.php"); // KEEP THIS HERE!!
include("functions.php");

$type_text = array("txt", "log");
$type_image = array("jpg", "jpeg", "gif", "png", "bmp");

// download a selected file --------------------------------------------------------------------
if (isset($_GET["file2dl"])) {

$filename0 = $_GET["file2dl"]; // single filename
$filename1 = BASEFOLDER . $filename0; // filename with path
$path = pathinfo($filename1);

foreach ($type_text as $single_type) {
	if ($single_type == @$path["extension"]) {
		header ("Content-Type: text/plain");
		$done = 1;
	}
}
if (!isset($done)) {
	foreach ($type_image as $single_type) {
		if ($single_type == @$path["extension"]) {
		header ("Content-Type: image/" . $path["extension"]);
		$done = 1;
		}
	}
}
if (!isset($done)) {
	header ("Content-Type: application/octet-stream"); 
}
header("Content-Disposition: attachment; filename=$filename0"); 
readfile($filename1);
die;
}
// ---------------------------------------------------------------------------------------------
?>

<?php
// case rename of a file is clicked
if (isset($_GET["file2rename"])) {
	print "<br>";
	print "<form action=" . $_SERVER["PHP_SELF"] . " method=\"post\">\n";
	print "rename file from &quot;" . $_GET["file2rename"] . "&quot; to:<br>\n";
	print "<input type=\"text\" name=\"renameFile\" size=\"36\" class=\"form\"><br>\n";
	print "password:<br>\n";
	print "<input type=\"password\" name=\"pwd\" class=\"form\"><br>\n";
	print "<input type=\"hidden\" name=\"origName\" value=\"" . $_GET["file2rename"] . "\">\n";
	print "<input type=\"submit\" name=\"adminRename\" value=\"go!\" class=\"form\">\n";
	print "</form>\n";
	print "<a href=\"JavaScript:window.close();\">close window</a>\n";
	die("</td></tr></table></body></html>");
}
// ---------------------------------------------------------------------------------------------

// rename a file in the list -------------------------------------------------------------------
if (isset($_POST["adminRename"]) && $_POST["adminRename"] == "go!") {
	renFiles($_POST["origName"], $_POST["renameFile"]);
	print "<br><br><a href=\"JavaScript:window.close();\">close window</a>\n";
	die("</td></tr></table></body></html>");
}
// ---------------------------------------------------------------------------------------------

// delete one or more file(s) in the list ------------------------------------------------------
if (isset($_POST["adminSubmit"]) && $_POST["adminSubmit"] == "go!") {
	delFiles($_POST["deleteFile"]);
}
// ---------------------------------------------------------------------------------------------

// show all files of the upload-folder ---------------------------------------------------------
$handle = @opendir(BASEFOLDER);
if ($handle) {
	while ($file = readdir($handle)) {
		if (($file != ".") && ($file != "..")) {
			if (!is_dir(BASEFOLDER . $file)) $filelist[] = $file; // folders are not displayed (yet)
		}
	}
	closedir($handle);
}
if (!empty($filelist)) {
	natcasesort($filelist);
	foreach ($filelist as $singleFile) {
		$f_size = filesize(BASEFOLDER . $singleFile); // size in bytes of file
		$f_size = niceFilesize($f_size); // so it's ok to view... ;)
		$f_atime = date("Y-m-d, H:i:s", fileatime(BASEFOLDER . $singleFile)); // last access/saving of file
		$f_mtime = date("Y-m-d, H:i:s", filemtime(BASEFOLDER . $singleFile)); // last modification of file
		$path = @pathinfo(BASEFOLDER . $singleFile);
		foreach ($type_image as $single_type) {
			if ($single_type == @$path["extension"]) $is_pic = 1;
		}
		if (isset($is_pic)) $pic_prop = getimagesize(BASEFOLDER . $singleFile); // image properties

	$blub[] = $f_mtime."RCSEP".$singleFile."RCSEP".$f_size."RCSEP".$pic_prop[0]."RCSEP".$pic_prop[1];

	clearstatcache();
	unset ($is_pic);
	unset ($pic_prop);
}

if (!isset($_GET["sortby"])) {
	$_GET["sortby"] = "name";
}
if ($_GET["sortby"] == "date") {
	arsort($blub);
}


print "<br>&nbsp;entries sorted by ".$_GET["sortby"].".<p></p>\n";
print "<form action=\"" . $_SERVER["PHP_SELF"] . "?sortby=".$_GET["sortby"]."\" method=\"post\" name=\"upf\">\n";
print "<table><tr><th><b>filename</b></th><th width=\"20\">&nbsp;</th><th width=\"65\"><b>delete file?</b></th>
		<th width=\"20\">&nbsp;</th><th width=\"100\"><b>action</b></th><th width=\"20\">&nbsp;</th><th width=\"300\"><b>additional infos</b></th></tr>\n";
foreach ($blub as $zeile) {
	$all = explode("RCSEP", $zeile);
	print "<tr>\n";
	print "<td><b>$all[1]</b></td>\n";
	print "<td width=\"20\">&nbsp;</td>\n";
	print "<td align=\"center\"><input type=\"checkbox\" name=\"deleteFile[]\" value=\"$all[1]\"></td>\n";
	print "<td width=\"20\">&nbsp;</td>";
	print "<td><a href=\"" . $_SERVER["PHP_SELF"] . "?file2dl=$all[1]\">download</a> - 
			<a href=\"JavaScript:popup('" . $_SERVER["PHP_SELF"] . "?file2rename=" . $all[1] . "', 'rename_file', 'width=300,height=220,resizable=YES,scrollbars=NO,menubar=NO,toolbar=NO,directories=NO,location=NO,status=NO,screenX=0,screenY=0')\">rename</a></td>\n";
	print "<td width=\"20\">&nbsp;</td>";
	print "<td>filesize: $all[2]<br>
				date of upload: $all[0]<br>";
	if (!empty($all[3]) || !empty($all[4])) print "pic-props (width x height): $all[3] x $all[4]<br>";
	print "</td>\n";
	print "</tr>\n";
}
#	print "<tr><td colspan=\"7\"><br><b>delete all?</b> <input type=\"checkbox\" name=\"selectall\" value=\"selectall\" #onClick=\"AllMessages(this.form);\"><br><br></td></tr>\n";
	print "</table>\n";
	print "<br>\n";
	print "to delete selected files enter password:<br>\n";
	print "<input type=\"password\" name=\"pwd\" size=\"34\" class=\"form\"><br>\n";
	print "<input type=\"submit\" name=\"adminSubmit\" value=\"go!\" class=\"form\">\n";
	print "</form>\n";

} else {
	print "<br>there are no files in the upload folder<br>";
}



// ----------------------------------------------------------------------------------------------
?>

PressureDrop

anyone?

superwormy

Use stristr() to check each filename for '.php' string.

For the record though, that won't stop a malicious user from deleting files, and in general, allowing people to rename and delete files over the web is not a very secure idea.

What happens if the filename they enter is '/etc/passwd' or something like that? Suddenly the password file for the unix system entirely dissappears...