Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7

Thread: Filtering

  1. #1
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    924
    Thanks
    76
    Thanked 29 Times in 29 Posts

    Filtering

    Just wondering what the best sanitizing filter would be to use when dealing with file uploads?

    Reading my book it tells me to always filter the filenames.

    I'm on the php manual and reading the sanitize filters but I am undecided on which one to use.

    http://www.php.net/manual/en/filter....s.sanitize.php

    Can anyone give any advice?

    Regards,

    LC.

  • #2
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    I'm not sure that any of those filters are suitable (on their own) for file uploads.

    I like this code:

    PHP Code:
    //Check for valid upload
    if($_FILES['image']['error'] != UPLOAD_ERR_OK) {
        echo 
    'Upload file error';
        return;
    }

    //Check for valid upload
    if(!is_uploaded_file($_FILES['image']['tmp_name'])) {
        echo 
    'Invalid request';
        return;
    }

    //Sanitize the filename (See note below)
    $remove_these = array(' ','`','"','\'','\\','/');
    $newname str_replace($remove_these''$_FILES['image']['name']);

    //Make the filename unique
    $newname time().'-'.$newname;

    //Save the uploaded the file to another location
    $upload_path "/home/mysite/public_html/uploads/$newname";
    move_uploaded_file($_FILES['image']['tmp_name'], $upload_path); 
    found at phpsense. It's a few years old though (2007) but it's a good page.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #3
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    924
    Thanks
    76
    Thanked 29 Times in 29 Posts
    Thank you very much. I prefer the code you have to mine. Mine is relying heavily on if statements. Here is what I have so far:
    PHP Code:
    <?php

    //DEFINE FUNCTION TO DEAL WITH EXISTING FILE NAMES IN TARGET DIRECTORY. ADDS DIGITS TO END OF FILENAME. RETURNS AMMENDED FILENAME.
    function editName($data){
         
    $info pathinfo($data);//retrieves info on the file path.
         
    $data basename($data,'.'.$info['extension']);//returns just the filename - without extension.
         
    $data .= rand(1099);//concatenates a random 2 digit number onto the end of the file name.
         
    $data $data.'.'.$info['extension'];//concatenates the extension of the file back onto the new filename.
         
    return $data;//returns the new filename.
    }

    //DEFINE ERROR ARRAY.
    $all_errors = array();
    $all_errors[0] = "<strong>Couldn't move file.</strong>";
    $all_errors[1] = "<strong>Corrupt file name.</strong>";
    $all_errors[2] = "<strong>There was an error uploading the file.</strong>";
    $all_errors[3] = "<strong>No file found.</strong>";
    $all_errors[4] = "<strong>Wrong file type. You can only upload .dem files (Gaming demo files).</strong>";
    $all_errors[5] = "<strong>File size too large. You can only upload demos which are 10mb or less.</strong>";
    $all_errors[6] = "<strong>There was an error with the server.</strong>";
    $all_errors[7] = "<strong>Could not move the uploaded file.</strong>";

    $MAX_FILE_SIZE $_POST['MAX_FILE_SIZE'];//grabs the max_file_size value specified in the HTML form.
    $file_dir "files";//holds the target directory for the given file.
    $error $_FILES['fileupload']['error'];//holds error value.
    $dot substr_count($_FILES['fileupload']['name'],".");//counts how many fullstops within the filename.
    $ext pathinfo($_FILES['fileupload']['name']);//returns array of information regarding file.
    $ext $ext['extension'];//holds just extension of file.

    if($_SERVER['REQUEST_METHOD'] == "POST"){

          if(
    $error == 0){
          
             if(
    is_uploaded_file($_FILES['fileupload']['tmp_name'])){

                foreach(
    $_FILES as $file_name => $file_array){
                   echo 
    $file_array['tmp_name']."<br />\n";
                   echo 
    $file_array['name']."<br />\n";
                   echo 
    $file_array['type']."<br />\n";
                   echo 
    $file_array['size']."<br />\n";
                }
                
                if(
    file_exists($file_dir."/".$file_array['name'])){
                   
    $name editName($file_array['name']);
                   echo 
    "{$name}<br />";
                }
                
                if(
    $dot == 1){
                   
                   if(
    $ext == "dem" and $file_array['type'] == "application/octet-stream"){
                       echo 
    "<strong>type and extension ok...</strong><br />";
                       
                       if(
    $file_array['size'] <= $MAX_FILE_SIZE){
                          echo 
    "<strong>file size ok...</strong><br />";
                          
                          if(
    move_uploaded_file($file_array['tmp_name'], $file_dir."/".$name)){
                              
    //insert info to database...
                              
    echo "<strong>inserting data into database...</strong>";
                              
    $db_ok TRUE;
                              
                              
                              
                              
                              
                          }
                          else{
                              echo 
    "{$all_errors[7]}";
                          }
                          
                          
                       }
                       else{
                          echo 
    "{$all_errors[5]}";
                       }
                       
                   }
                   else{
                       echo 
    "{$all_errors[4]}";
                   }
                }
                else{
                   echo 
    "{$all_errors[1]}";
                }
             }
             else{
                echo 
    "{$all_errors[0]}";
             }
          }
          else{
             echo 
    "{$all_errors[2]}";
          }
    }
    else{
       echo 
    "{$all_errors[6]}";
    }

    if(
    $db_ok){

    require(
    "connect.php");




    }

    ?>
    Would it be better to put most of that code in a series of if..else statements?

    Kind regards,

    LC.

  • #4
    Senior Coder
    Join Date
    Sep 2010
    Posts
    2,183
    Thanks
    15
    Thanked 253 Times in 253 Posts
    Don't depend upon filenames alone as a filter. Use something that can read the file header to check the actual filetype. Those are the best filters.

  • #5
    Regular Coder LearningCoder's Avatar
    Join Date
    Jan 2011
    Location
    The Pleiades
    Posts
    924
    Thanks
    76
    Thanked 29 Times in 29 Posts
    How would I go about doing the above? Header information is sent before any html/output, so would I have to read the file contents upon execution of the action script/form submission?

    Kind regards,

    LC.
    Last edited by LearningCoder; 08-12-2012 at 11:28 AM. Reason: added text.

  • #6
    Senior Coder
    Join Date
    Sep 2010
    Posts
    2,183
    Thanks
    15
    Thanked 253 Times in 253 Posts
    Quote Originally Posted by LearningCoder View Post
    How would I go about doing the above? Header information is sent before any html/output, so would I have to read the file contents upon execution of the action script/form submission?

    Kind regards,
    LC.
    You can't read it before the form submits but you can read it while it is a $_FILE['tmp_name'] so you don't have to save it or move it.

  • #7
    Senior Coder Dormilich's Avatar
    Join Date
    Jan 2010
    Location
    Behind the Wall
    Posts
    3,389
    Thanks
    13
    Thanked 353 Times in 349 Posts
    PHP offers several functions/classes to get information about files:
    - fileinfo functions
    - filesystem functions
    - SPL File Handling
    The computer is always right. The computer is always right. The computer is always right. Take it from someone who has programmed for over ten years: not once has the computational mechanism of the machine malfunctioned.
    André Behrens, NY Times Software Developer


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •