Additions to file upload script

hubbardude

I managed to get a file upload script working. I've made sure that files that have the same name don't overwrite each other and I'm capturing some other basic information. Now I want to add a few things:

I want to limit the acceptable file extensions to image formats
I want to restrict the file size. I think there are a few ways to do this. I've already specified max upload size in the form and also changed the setting in php.ini. Is there a better way?
I want to make sure people can't access the file directory if they are on my site and type in the filepath. Is this just a folder security issue?
Are there any other important checks I'm missing?

I'm running windows XP, apache 2.2, php 5, and mysql. Here is the code:

<?
// you can change this to any directory you want
// as long as php can write to it
$uploadDir = 'C:/Apache2.2/htdocs/Devils/docs/';

if(isset($POST['upload']))
{
$fileName = $FILES['userfile']['name'];
$tmpName = $FILES['userfile']['tmp_name'];
$fileSize = $FILES['userfile']['size'];
$fileType = $FILES['userfile']['type'];
$fileTitle = $POST['title'];
$fileDescription = $_POST['description'];

// get the file extension first
$ext      = substr(strrchr($fileName, "."), 1); 

// generate the random file name
$randName = md5(rand() * time());

// and now we have the unique file name for the upload file
$filePath = $uploadDir . $randName . '.' . $ext;

// move the files to the specified directory
// if the upload directory is not writable or

// something else went wrong $result will be false
$result    = move_uploaded_file($tmpName, $filePath);
if (!$result) {
	echo "Error uploading file";
	exit;
}

if(!get_magic_quotes_gpc())
{
    $fileName  = addslashes($fileName);
    $filePath  = addslashes($filePath);
}  

$query = "INSERT INTO images (name, size, type, path, title, description) ".
		 "VALUES ('$fileName', '$fileSize', '$fileType', '$filePath', '$fileTitle', '$fileDescription')";

mysql_query($query) or die('Error, query failed : ' . mysql_error());

echo "<br>File uploaded<br>";
}
?>

woodeye

I'm kind of new to PHP programming, but I've been working on a file transfer site too. So I don't know if this is the best way, but it's what I did.

I set a string to include all the possible extensions that I wanted to receive. Then I did an eregi to check to see if the extension was in the string. I don't have access to my script right now, but here's what I think I did:

$ex = "jpg, png, bmp, tif, gif, eps";   #add all acceptable extensions here

$file_info = pathinfo($file);
$extension = $file_info['extension'];

if (eregi($extension, $ex)){
     #handle file upload here
} else {
    #report wrong file type error here
}

As for the upload limit and security issues, I can't be much help. Sorry. Hopefully someone with more experience will help you out.

One question for you... why are you renaming the file with a random number instead of just setting up a loop that checks the filename, and if it exists, and a number on the end of it. For example, "Filename", "Filename_1", "Filename_2", etc. ? I obviously don't know what you're doing with the files, so maybe I'm just missing something.

Brian

hubbardude

Thanks. If you don't mind sending me your code I think that would help me a lot. For the random file names, I was doing it that way because that's the only way I know how. Your way would make more sense, though. It would make it easier to check for duplicates.