PHP upload

shyuanlon

web upload usually required alot of securty concerns, juz want to make sure my codes is not vulnerable ..

$fail ="";
if($HTTP_POST_FILES['userfile'] !=""){

$Array_Type_Image = Array("image/gif", "image/jpeg", "image/pjpeg", "image/x-png");

	if (In_Array($HTTP_POST_FILES["userfile"]["type"], $Array_Type_Image) ) {

	  	if($HTTP_POST_FILES["userfile"]['size'] <30000){
			$upload_dir = "news/";
			$uploadfile = $upload_dir.basename('content_1.gif');

	 	 	if(@copy($HTTP_POST_FILES["userfile"]['tmp_name'], $uploadfile)) {
			  $fail= "File is valid, and was successfully uploaded.\n";
			} else {
			 $fail= "File Update Fail!\n";
			}
		}else{
			$fail ="File Size Limited!";
		} 
	} else {
   		$fail = "Only Accept Images Files Thank You";
	}


}

thank you

planetsim

if($HTTP_POST_FILES['userfile'] !=""){

Not really a concern however you should be looking to make sure the file input is set as well as the upload value empty.

I also think you should use the error value that also comes with the File Upload use that as it will help quite a lot when a file cannot be uploaded.

Im not much of a [man]copy[/man] fan so id recommend using [man]move_uploaded_file[/man] its much better to use especially when safe_mode is on and a few other configuration options that will not work when using [man]copy[/man]

Lastly maybe making sure the filesize isnt 0 I think theres something on that in the error value of the file upload not sure.

Weedpacket

You're also trusting that the client sending the file is being honest about the file's MIME type (and, incidentally, you'll miss all those that use the correct "image/png" type for PNG images). An easy way to limit uploaded files to image types is to use [man]getimagesize[/man]. Because that has to examine the content of the uploaded file to determine the size of the image, it also has to determine the type of image file as well, so you get that information for free. It saves on having to learn the magic numbers for different file formats yourself.