I've made a basic looking PHP file load system, so far I can upload any file type, I haven't add any parameters just yet.
But what I want to know is with the method I'm using, what steps should I take to make the system secure? Is there another, more secure way of doing things, and any guides, tips or suggestions that may help with this system?
This is my code so far:
$upload_to = "img/company_logos/";
if($_POST)
{
if(!empty($_POST['upload']))
{
$upload_to = $upload_to . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $upload_to);
echo "Uploaded!";
}
}
?>
<html>
<body>
<form method="post" enctype="multipart/form-data">
<input type="hidden" id="upload" name="upload" value="1" />
<input type="file" id="file" name="file" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
One of the major things I've seen is the upload directory permissions are set to 777 this means anyone can read/write/execute this dir.
Thanks for the help.
Check the referrer
Restrict file types
Rename files
Change permissions
Login and Moderate
http://php.about.com/od/advancedphp/qt/upload_security.htm
And see this one
PHP Upload file enhance security
Related
Hello I needed code for automatically chose file and upload it to desired link. How to do that?
html code:
<html>
<head><title>Uploading</title></head>
<body>
<form method="post" enctype="multipart/form-data" action="uploadFile.php">
<input type="file" name="file" id="file">
<input type="submit" value="Submit">
</form>
</body>
</html>]
In above code at this line
<input type="file" name="file" id="file">
this path is fixed and can't be changed as user tries. so when user click on "Submit" button the file has to upload.
How to do this?
TL;DR: What you are trying to do is absolutely impossible - for a good reason.
If this was possible, you could create a hidden upload field pointing to a file containing valuable data (e.g. the browser's cookie database) and submit the form using JavaScript (or make the user submit it without knowing about that upload) and copy any file the user has access to.
I am trying to make a site where users can upload files. I have some basic parameters (like making sure they're logged in, etc) above this code. I have narrowed down where my error is. Whenever I try to upload a file, it loads for a long time (even when it's just a small JPG), and displays nothing. I've looked through a bunch of previous questions, but they don't really help.
HTML
<form name="contact" action="action.php" method="post" enctype="multipart/form-data">
<input type="file" name="file" id="file" multiple><br><div id="adder"></div>
<input type="submit" name="submit" value="Submit">
</form>
PHP
for($i=0; $i<count($_FILES['file']['name']); $i++) {
//Get the temp file path
$tmpFilePath = $_FILES['file']['tmp_name'][$i];
//Make sure we have a filepath
if ($tmpFilePath != ""){
//Setup our new file path
$newFilePath = "uploads/".$_FILES['file']['name'][$i];
//Upload the file into the temp dir
if(move_uploaded_file($tmpFilePath, $newFilePath)){
set_time_limit(0);
echo "Thanks for your submission! Your file was uploaded.;
}
change your this line:
<input type="file" name="file" id="file" multiple><br><div id="adder"></div>
to
<input type="file" name="file[]" id="file" multiple><br><div id="adder"></div>
and please write the proper code cause incomplete information will take people away for actual reason for the code to not work.( you did not close the for loop there)
also I am assuming you have checked the POST request using $_POST[] before saving anything to make sure someone actually submitted the form.
I know this is an old question and I have found lots of tutorial on SO however, they cannot solve my problem.
I use my mac to set up a localhost for web programming and I try to upload a jpg file to my localhost directory "/Library/WebServer/Documents". But it gives hint unable to move.
my front end code is:
<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>
The php(upload_file.php) code is(there is some other checking codes for php file, copied from w3school):
move_uploaded_file($_FILES["file"]["tmp_name"] , "/Library/WebServer/Documents" . $_FILES["file"]["name"]);
And after I click the submit button, there is sth wrong printed on the screen.
Moreover, I did not find any tmp file in the file "/private/var/tmp", in which should be a tmp file...
make sure your php file has enough rights to write into the directory.
check if print_r($_FILES); lists anything, especially the size is important.
I'm developing an image host and wish to have images uploaded to a separate server from my web content, eg: http://i1.mysite.com instead of http://mysite.com/uploads. But I'm having some trouble figuring out how to do that.
Say I have this form:
<form action="http://mysite.com/upload" method="post" accept-charset="utf-8" enctype="multipart/form-data">
<input type="file" name="image" id="file_upload" />
<input type="submit" value="Upload" id="upload_submit" />
</form>
That will send an image file to /upload, where I can validate the file and save it, but that will be on the same server as the website is hosted, rather than a dedicated storage server. How can I achieve what I want without having the images uploaded on the same server as my web site?
I could always do:
<form action="http://i1.mysite.com/upload" method="post" accept-charset="utf-8" enctype="multipart/form-data">
<input type="file" name="image" id="file_upload" />
<input type="submit" value="Upload" id="upload_submit" />
</form>
which would send the image file to another server, but then when the image upload is complete I'd be redirected to http:/i1.mysite.com/upload.
Anyone have any experience with this and can recommend a course of action? Thank you!
Don't upload to the image server. Such content-specific servers should be optimized for serving up content, and not have to deal with consuming content.
Let the upload form send to your main site's server. You can then use other protocols to transfer the uploaded file(s) to the image servers. rsynch, scp, etc... This way you have all your "control" code in one location, and don't have to worry about synching databases and whatnot between multiple servers - all the data is kept on your main server, and the image servers just passively spit out image data.
I would recommend decoupling these two ideas. First, upload the image to your servers and in a separate process (perhaps a scheduled cron) move the images to other server. You likely do not want the user waiting for two uploads to finish.
Like the others have said, what you're trying to do is not optimal. If you really want to continue to do this, I'd suggest having the form submit to a PHP script which then processes it and places the file where it needs to be and then saves whatever information to the database that is necessary. You'll need to evaluate the best protocol for the data transfer from one server to the other. You'll probably end up using Curl, which you can learn about here and here as well as the curl docs
You could upload the image to your image host, and have it redirect back to your website afterward. One way to do this would be to add hidden "success" and "failure" URL inputs to the form:
<form action="http://i1.mysite.com/upload" method="post" accept-charset="utf-8" enctype="multipart/form-data">
<input type="file" name="image" id="file_upload" />
<input type="submit" value="Upload" id="upload_submit" />
<input type="hidden" name="success" value="http://mysite.com/success" />
<input type="hidden" name="failure" value="http://mysite.com/failure" />
</form>
The upload script on your image host would then redirect to the supplied URL after a successful upload:
<?php
.. handle uploaded file ..
if ($success) {
header ('Location: ' . $_REQUEST ['success']) ;
}
else {
header ('Location: ' . $_REQUEST ['error'] . '?message=' . $message) ;
}
?>
I am working with PHP and would like to get a remote file path location so that I can read file contents.
I would like the user to direct to a particular file, which can be located anywhere in the computer, so that it can be processed by the script.
Thanks
You can offer a user the ability to locate a file on their local computer and submit it to you via a web form, like..
<form id="myForm" enctype="multipart/form-data" action="/formHandler.php" method="post" >
<label for="fileUpload">File to Upload:</label>
<input name="fileUpload" id="fileUpload" type="file" /><br />
<input name="submit" id="submit" type="submit" value="Upload Now"></form>
Then you can process it on your side with PHP, or whatever you have on the server end. Since PHP is one of your tags, you can learn more on how to access, and work with, on the server end from the PHP reference site:
http://www.php.net/manual/en/features.file-upload.post-method.php
I hope I understood your question correctly..