file upload - file name filer - PHPBuilder Forums

file upload - file name filer

kkiely

My file upload script below works very nicely. It uploads a pic and then automatically posts AND resizes the pic onto my webpage. It also displays a defaut pic is there is none uploaded. I added 2 lines

$uploadfilename = ereg_replace(" ","",$uploadfilename);
$uploadfile = ereg_replace(" ","",$uploadfile);

to fix files that have a space in their name so they will upload correctly. But now I need to change the code so that I can filter out bad charachters for security reasons (i.e. If someone uploads a filename "?php `bah php?" or "../filename" it could do some bad stuff). Specifically I want slashes/and backslashes taken out as well as double periods (..) or all periods. I tried to change my ereg_replace lines to 3 differet things but none worked. Does anyone know how i can fix this? Also, will I have any security holes after i get this to work?

FIRST
$uploadfilename = ereg_replace(" <>?","",$uploadfilename);

SECOND
I also tried:
$crap = array("..", "`", ";", "/", "<", ">", "?",);
$uploadfilename = str_replace($crap, "", $uploadfilename);
$uploadfile = str_replace($crap, "", $uploadfile);

THIRD
$uploadfile = ereg_replace(" ","",$uploadfile);
$uploadfile = ereg_replace("`","",$uploadfile);
$uploadfile = ereg_replace("<","",$uploadfile);
$uploadfile = ereg_replace(">","",$uploadfile);

etc

<?php
$today = date("M d, Y");
$name=htmlspecialchars(stripslashes($name));
$age=htmlspecialchars(stripslashes($age));
$from=htmlspecialchars(stripslashes($from));
$email=htmlspecialchars(stripslashes($email));
$game=htmlspecialchars(stripslashes($game));
$player=htmlspecialchars(stripslashes($player));
$since=htmlspecialchars(stripslashes($since));
$limits=htmlspecialchars(stripslashes($limits));
$occupation=htmlspecialchars(stripslashes($occupation));
$book=htmlspecialchars(stripslashes($book));
$favsite=htmlspecialchars(stripslashes($favsite));
$screenname=htmlspecialchars(stripslashes($screenname));
$interests=htmlspecialchars(stripslashes($interests));
$accomplishments=htmlspecialchars(stripslashes($accomplishments));
$story=htmlspecialchars(stripslashes($story));

// change to the directory you want files to be uploaded to
$uploaddir = "/www/k/kkiely/htdocs/profilesma2/";
$uploadfilename = $FILES['userfile']['name'];
$mogrify = "/usr/local/bin/mogrify"; // Path to Imagemagick "mogrify"
$uploadfilename = ereg_replace(" ","",$uploadfilename);
$uploadfile = $uploaddir . $FILES['userfile']['name'];
$uploadfile = ereg_replace(" ","",$uploadfile);

// Type of image extensions allowed
// 1= ON, 0 = OFF
$exten=' .jpg .gif .png .bmp .JPG .JPEG .BMP';

$extlimit = "yes"; //Do you want to limit the extensions of files uploaded
$limitedext = array(".gif",".jpg",".png",".jpeg",".GIF",".JPG",".JPEG",".BMP",""); //Extensions files uploaded limited to.

$ext = strrchr($uploadfilename,'.');
if (($extlimit == "yes") && (!in_array($ext,$limitedext))) {
die("The file you are uploading doesn't have the correct extension so only your text was uploaded. Click here to return to the Massachusetts profiles page <a href=http://www.mypage.com/profilesma2.php>[url]http://www.mypage.com/profilesma2.php[/url]");
}

// If there is no pic uploadad then set a default pic
if ($_FILES['userfile']['type'] == "") {
$uploadfilename = "default.GIF";
$uploadfile = "default.GIF";
}

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
exec("$mogrify -geometry 121x122 $uploadfile");

print "<b>Your picture and text was successfully uploaded.<br>Click here to return to the Massachusetts profiles page</b><br><a href=http://www.mypage.com/profilesma2.php>[url]http://www.mypage.com/profilesma2.php[/url]</a>";

} else {
print "Your profile was created without an image. Click here to return to the the Massachusetts profiles page <a href=http://www.mypage.com/profilesma2.php>[url]http://www.mypage.com/profilesma2.php[/url]</a>";
}

print "</pre>";

$hFile = fopen( "textprofilesma2.htm", "a+" );
fwrite( $hFile, "

<tr bgcolor=eaeaea><td colspan=9>
<table width=688 align=center cellpadding=0 cellspacing=0><tbody>
<tr>
<td class=category30 valign=top width=10%><img src=\"profilesma2/$uploadfilename\" align=left></a>
</td>
<td class=category30 valign=top width=30%>
 Name: $name 
 Email/nick: $email 
 Favorite Game: $game 
 Favorite Player: $player 
 Playing poker since: $since 
 Limits: $limits 
 Occupation: $occupation

</td>
<td class=category30 valign=top width=36%>
	<b>Poker Book:</b> $book<br>
	<b>Favorite PokerSite:</b> $favsite<br>
	<b>Screen names:</b> $screenname<br>
	<b>Interests:</b> $interests<br>
</td></tr>

<tr bgcolor=eaeaea><td class=category30 colspan=3>Poker Accomplishments: $accomplishments</td></tr>
<tr bgcolor=eaeaea><td class=category30 colspan=3>Your Poker Story: $story</td></tr>
</tbody></table>
</td></tr>
<tr bgcolor=eaeaea><td colspan=9> </td></tr>
</tbody></table>

" );
fclose( $hFile );

$hFile2 = fopen( "textprofilesall.htm", "a+" );
fwrite( $hFile2, "$today - Massachusetts

</td>
<td class=category30 valign=top width=36%>
	<b>Poker Book:</b> $book<br>
	<b>Favorite PokerSite:</b> $favsite<br>
	<b>Screen names:</b> $screenname<br>
	<b>Interests:</b> $interests<br>
</td></tr>

" );
fclose( $hFile2 );

swr

It's better to filter out anything that doesn't match what you know is safe, rather than stripping out what you know is not safe. If you try to maintain a list of what you know is not safe, there's a chance you'll miss something.

Try this:

$filename = preg_replace('|[^{a-zA-Z0-9-]|',} '', $filename);

That will take anything that isn't a letter, number, underscore, or hyphen and turn it into an underscore.