I am building an application where users can create folders and upload files. Of course, I need to validate the POST-Values so that a user cannot delete/overwrite files they aren't allowed to. What I am doing at the moment: When a file gets uploaded, I add a suffix to the file name, so "image.jpg" becomes "image.jpg-foo". The file paths are checked for "../" and "..\".
My question is: is this method secure enough, or is a user still able to get to another dir with another command? I don't want to change the file names to random characters as I don't wanna use a Database (the script has to be as small as possible).
My functions for the file path look like this (I user BetterFoldername for all user inputs) :
function endswith($string, $test) {
$strlen = strlen($string);
$testlen = strlen($test);
if ($testlen > $strlen)
return false;
return substr_compare($string, $test, $strlen - $testlen, $testlen) === 0;
}
function BetterFoldername($name) {
$name = str_replace("../","",$name);
$name = str_replace("..\\","",$name);
$name = str_replace("//","/",$name);
$name = str_replace("\\\\","\\",$name);
if(endswith($name, "/") || endswith($name, "\\")) {
$name = substr($name, 0, -1);
}
if (preg_match("/[^\sA-Za-z0-9_.\/\-]/", $name)) {
exit("An error occured!");
}
return $name;
}
Related
I am using the edsdk/flmngr library for a personal php/laravel project. However, I want to add the following constraint:
When a user is uploading a file into the gallery from the CMS, the file name should be cleared of all symbols and weird characters as well as empty spaces. By default I know that it removes some of the symbols, but it definetely does not remove spaces.
e.g. Top Three Countries To Study.jpg
should be renamed to TopThreeCountriesToStudy.jpg but it does not.
Any hints on which files to change or how to accomplish this is much appreciated.
I tried editing the fixFileName method in the Utils.php class so that the name that end up being used has no spaces, but for some reason it does not seem to work.
public static function fixFileName($name) {
$newName = '';
for ($i = 0; $i < strlen($name); $i++) {
$ch = substr($name, $i, 1);
if (strpos(Utils::PROHIBITED_SYMBOLS, $ch) !== FALSE) {
$ch = '_';
}
$newName = $newName . $ch;
$newName = Str::replace(" ", "", $newName); //THIS IS THE LINE I ADDED
}
return $newName;
}
Is there a function built into PHP that acts like file_exists, but given file contents instead of the file name?
I need this because I have a site where people can upload an image. The image is stored in a file with a name determined by my program (image_0.png image_1.png image_2.png image_3.png image_4.png ...). I do not want my site to have multiple images with the same contents. This could happen if multiple people found a picture on the internet and all of them uploaded it to my site. I would like to check if there is already a file with the contents of the uploaded file to save on storage.
This is how you can compare exactly two files with PHP:
function compareFiles($file_a, $file_b)
{
if (filesize($file_a) == filesize($file_b))
{
$fp_a = fopen($file_a, 'rb');
$fp_b = fopen($file_b, 'rb');
while (($b = fread($fp_a, 4096)) !== false)
{
$b_b = fread($fp_b, 4096);
if ($b !== $b_b)
{
fclose($fp_a);
fclose($fp_b);
return false;
}
}
fclose($fp_a);
fclose($fp_b);
return true;
}
return false;
}
If you keep the sha1 sum of each file you accept you can simply:
if ($known_sha1 == sha1_file($new_file))
You can use a while loop to look look through the contents of all of your files. This is shown in the example below :
function content_exists($file){
$image = file_get_contents($file);
$counter = 0;
while(file_exists('image_' . $counter . '.png')){
$check = file_get_contents('image_' . $counter . '.png');
if($image === $check){
return true;
}
else{
$counter ++;
}
}
return false;
}
The above function looks through all of your files and checks to see if the given image matches an image that is already stored. If the image already exists, true is returned and if the image does not exist false is returned. An example of how you can use this function shown is below :
if(content_exists($_FILES['file']['tmp_name'])){
// upload
}
else{
// do not upload
}
You could store hashed files in a .txt file separated by a \n so that you could use the function below :
function content_exists($file){
$file = hash('sha256', file_get_contents($file));
$files = explode("\n", rtrim(file_get_contents('files.txt')));
if(in_array($file, $files)){
return true;
}
else{
return false;
}
}
You could then use it to determine whether or not you should save the file as shown below :
if(content_exists($_FILES['file']['tmp_name'])){
// upload
}
else{
// do not upload
}
Just make sure that when a file IS stored, you use the following line of code :
file_put_contents('files.txt', hash('sha256', file_get_contents($file)) . "\n");
This question already has answers here:
How to generate a random, unique, alphanumeric string?
(31 answers)
Closed 9 years ago.
How would I go about creating a random string of text for use with file names?
I am uploading photos and renaming them upon completion. All photos are going to be stored in one directory so their filenames need to be unique.
Is there a standard way of doing this?
Is there a way to check if the filename already exists before trying to overwrite?
This is for a single user environment (myself) to show my personal photos on my website however I would like to automate it a little. I don't need to worry about two users trying to upload and generating the same filename at the same time but I do want to check if it exists already.
I know how to upload the file, and I know how to generate random strings, but I want to know if there is a standard way of doing it.
The proper way to do this is to use PHP's tempnam() function. It creates a file in the specified directory with a guaranteed unique name, so you don't have to worry about randomness or overwriting an existing file:
$filename = tempnam('/path/to/storage/directory', '');
unlink($filename);
move_uploaded_file($_FILES['file']['tmp_name'], $filename);
function random_string($length) {
$key = '';
$keys = array_merge(range(0, 9), range('a', 'z'));
for ($i = 0; $i < $length; $i++) {
$key .= $keys[array_rand($keys)];
}
return $key;
}
echo random_string(50);
Example output:
zsd16xzv3jsytnp87tk7ygv73k8zmr0ekh6ly7mxaeyeh46oe8
EDIT
Make this unique in a directory, changes to function here:
function random_filename($length, $directory = '', $extension = '')
{
// default to this files directory if empty...
$dir = !empty($directory) && is_dir($directory) ? $directory : dirname(__FILE__);
do {
$key = '';
$keys = array_merge(range(0, 9), range('a', 'z'));
for ($i = 0; $i < $length; $i++) {
$key .= $keys[array_rand($keys)];
}
} while (file_exists($dir . '/' . $key . (!empty($extension) ? '.' . $extension : '')));
return $key . (!empty($extension) ? '.' . $extension : '');
}
// Checks in the directory of where this file is located.
echo random_filename(50);
// Checks in a user-supplied directory...
echo random_filename(50, '/ServerRoot/mysite/myfiles');
// Checks in current directory of php file, with zip extension...
echo random_filename(50, '', 'zip');
Hope this is what you are looking for:-
<?php
function generateFileName()
{
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789_";
$name = "";
for($i=0; $i<12; $i++)
$name.= $chars[rand(0,strlen($chars))];
return $name;
}
//get a random name of the file here
$fileName = generateName();
//what we need to do is scan the directory for existence of the current filename
$files = scandir(dirname(__FILE__).'/images');//assumed images are stored in images directory of the current directory
$temp = $fileName.'.'.$_FILES['assumed']['type'];//add extension to randomly generated image name
for($i = 0; $i<count($files); $i++)
if($temp==$files[$i] && !is_dir($files[$i]))
{
$fileName .= "_1.".$_FILES['assumed']['type'];
break;
}
unset($temp);
unset($files);
//now you can upload an image in the directory with a random unique file name as you required
move_uploaded_file($_FILES['assumed']['tmp_name'],"images/".$fileName);
unset($fileName);
?>
So I am creating trying to create a PHP script where the client can create a folder with a 10 digit name of random letters and numbers, and than save the document they are currently working on into that folder. Its like a JSfiddle where you can save what you are currently working on and it makes a random folder. My issue is that it wont create my directory, and the idea is correct, and it should work. However, PHP isn't saving an Error Log so I cannot identify the issue. Here's what I got so far.
PHP
save_functions.php
<?php
function genRandomString() {
$length = 10;
$characters = "0123456789abcdefghijklmnopqrstuvwxyz";
$string = '';
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt_rand(0, strlen($characters))];
}
return $string;
}
<?php
function createFolder() {
$folderName = genRandomString(); //Make a random name for the folder
$goTo = '../$folderName';//Path to folder
while(is_dir($goTo)==true){ //Check if a folder with that name exists
$folderName = genRandomString();
$goTo = '../$folderName';
}
mkdir($goTo,7777); //Make a directory with that name at $goTo
return $goTo; //Return the path to the folder
}
?>
create_files.php
<?php
include('save_functions.php');//Include those functions
$doc = $_POST['doc'];//Get contents of the file
$folder = createFolder();//Make the folder with that random name
$docName = '$folder/style.css';//Create the css file
$dh = fopen($docName, 'w+') or die("can't open file");//Open or create the file
fwrite($dh, $doc);//Overwrite contents of the file
fclose($dh);//Close handler
?>
The call to mkdir($goTo,7777) has wrong mode, this is usually octal and not decimal or hex. 7777 is 017141 in octal and thus tries to set non-existent bits. Try the usual 0777.
But why don't you just use tempnam() or tmpfile() in your case?
I need to check if a file exists but I don't know the extension.
IE I would like to do:
if(file_exists('./uploads/filename')):
// do something
endif;
Of course that wont work as it has no extension. the extension will be either jpg, jpeg, png, gif
Any ideas of a way of doing this without doing a loop ?
You would have to do a glob():
$result = glob ("./uploads/filename.*");
and see whether $result contains anything.
I've got the same need, and tried to use glob but this function seems to not be portable :
See notes from http://php.net/manual/en/function.glob.php :
Note: This function isn't available on some systems (e.g. old Sun OS).
Note: The GLOB_BRACE flag is not available on some non GNU systems, like Solaris.
It also more slower than opendir, take a look at : Which is faster: glob() or opendir()
So I've made a snippet function that does the same thing :
function resolve($name) {
// reads informations over the path
$info = pathinfo($name);
if (!empty($info['extension'])) {
// if the file already contains an extension returns it
return $name;
}
$filename = $info['filename'];
$len = strlen($filename);
// open the folder
$dh = opendir($info['dirname']);
if (!$dh) {
return false;
}
// scan each file in the folder
while (($file = readdir($dh)) !== false) {
if (strncmp($file, $filename, $len) === 0) {
if (strlen($name) > $len) {
// if name contains a directory part
$name = substr($name, 0, strlen($name) - $len) . $file;
} else {
// if the name is at the path root
$name = $file;
}
closedir($dh);
return $name;
}
}
// file not found
closedir($dh);
return false;
}
Usage :
$file = resolve('/var/www/my-website/index');
echo $file; // will output /var/www/my-website/index.html (for example)
Hope that could helps someone,
Ioan