I'm currently in the process of searching for a media upload library for PHP that can manage multiple types of files. Either a single library or a combination of different ones would work equally well.
I could write some simple upload code that checks what type of file, and incorporate some simple security measures, but I'd much rather leave it up to someone else more qualified.
Features I'm looking for in such a library:
Checking for file type. I would like the library to have a whitelist of types of files that can be uploaded, and be to able to check if the file uploaded is indeed on that whitelist. The checking process would have to do more than just check the file extension. Example: Only uploading .jpg, .png, .mp3, .avi is allowed.
Either a very comprehensive settings page/section or understandable and editable code. I'd like to be able to mold the library to fit the structure of my site, not the other way around.
Security checks. I would like there to be a system of security checks to make sure that files are not a possible security threat to my website.
Free. I'd rather not buy a library.
Tools I've Found So Far:
Due to the universal need for file upload code, there are tons of upload libraries out there, such as:
class.upload.php -- Manages the uploading, saving, and resizing of images.
Pear PHP's HTTP_Upload -- Manages files submitted via HTTP forms.
Easy PHP Upload -- Validates and manages file upload via Web forms
EasyUp -- Simply manages file upload.
The problem is, there's just so many libraries, frameworks, and classes out there that it's hard to choose one (or multiple to work in combination) and know that it's going to be reliable and work well.
So, it would be amazing if I could get some recommendations on what in your opinion the best file upload library or libraries are for PHP that contain the features I'm looking for!
Thanks a ton!
Well, it depends on just what you want uploaded. Is it just images? Text files? Videos?
At any rate, a library wouldn't actually be needed because PHP has a very powerful built in upload function.
This page here shows a good example of how to make a basic form and implementing some basic security checks, including checking the file extension. PHP is very secure as it is, though you'll have to decide for yourself what file extensions you will accept. Generally, it's best to choose specifically what you will accept, rather than limiting out a few high risk files only. For example, unless they're needed and you want to support them, avoid supporting archives (such as 7z, bz2, or zip) or executables.
As well, if you want to put a very basic virus scan into the newly uploaded file, you can use a method similar to this one.
You want to be able to meld your site around the desired library? Using PHP lets you do that better than anything, and it's relatively simple to do.
Related
I'm interested making certain my file uploaded via php into a db is locked down. Currently the key functions I'm using are fopen and fgetcsv. Unfortunately this subject seems quite nebulous in the webs.
The file isn't "executed" but is opened and walked with fgetcsv. What steps do I need to do in order make certain that no foul play occurs on my server through this module?
Currently I limit the file size and check the extension.
Do I need to verify the file uploaded is actually a csv and not just some file with a csv extension? I assume this would be through a file type recognizer?
What do I need to do to avoid multibyte/encoding exploits?
***Edit
I found this link to be helpful and may be to others; http://php.net/manual/en/features.file-upload.post-method.php
Thanks
If you are relying on a library to parse user input, you should have confidence in the quality of the library.
If you don't then picking a separate library is advisable.
If no sufficiently stable library can be found for the task, the only viable option in a security-critical application is to implement the functionality yourself.
Im planning to add file manager (very basic once) because I never used FTP functions, and it looks easier (FTP connection loses when scripts is done). I would simply use POST request (or what should I?) instead of FTP functions. Is it good idea? Anyone knows restrictions?
As far as I can see only FTP functions are to post and receive files.
What you need to do is add dynamic form where you can select multiple files and upload them to specific directory of your chose.
You will need to get all available directories and files in them, probably with some kind of recursive function. More optimal way is to get directories/files of current folder and when you click on folder it will get files/folder for it.
Can it be done - sure. Is it a good idea - no. People will have access for uploading malicious files, we are not talking about images here, php scripts, shell scripts, executable viruses and so on...
If you are doing this only for yourself, for file posting and receiving I suggest you to use FTP clients for that.
I wouldn't recommend it, but it's probably best to use a 3rd party tool, rather than to write your own.
PHP File Manager
PHPfileNavigator2
FileManager
...
Keep in mind that both PHP and your webserver can put certain restrictions on the size of files that you can transfer, it is of course possible to change these in the configuration files.
I'm looking for a tool to facilitate mulitple webpage file uploads from a single file browse dialogue. I know this has been asked previously, but I can't find anything current.
I'd like to check file size prior to upload, and I gather Flash is still the only way to do that cross-browser?
Ideally, I'd like an upload progress metre. I'll be using Linux and Apache servers, but don't have access to install add-ons such as PHP APC. Again, I assume something flash-based is the only option there?
I've looked at SWFUpload, but that appears to be another of these projects where the developers have become quite zealous and turned a simple concept into a full suite of tools for the masses. It seems quite cumbersome and I don't think I want to use it for my purpose.
I'd prefer not to have to write something from scratch for this. Could someone recommend me something or perhaps suggest a non-Flash alternative if there is one? I do need full cross-browser compatibility without too many layers of degradation, so anything HTML 5 probably isn't what I want.
Thanks
As I mentioned earlier today ( Multiple file upload (client side) )
I am a big fan of Plupload which can check file size, show progress bar, single dialog for multiple files, and supports things other than Flash if needed.
What is, according to you, the best way to convert uploaded files of any kind (.doc, .docx,...) into a pdf-file using nothing but php. Is it even possible to do so?
I looked at FPDF, but this creates the pdf files from text.
An other solution previously given was to use the PDFlib library on your server, but unfortunately, my server doesn't support this library...
What is the best way to convert to files my users upload on my site to pdf files?
A simpler approach would be to restrict uploads to .PDF format programmatically and require your users to only upload .pdf files. Provide a link on the upload page to a free and open source pdf printer (e.g. Cuteftp) that the user can install to create .pdf documents from any file that can be printed.
Trying to do it through PHP will be problematic because the uploads could be generated from many different programs that would be impossible to cater for in their entirety. e.g. How would it handle Scribus or ABC Flowcharter or any other 'non-standard' application someone used to create a document?
Much better to filter the upload upfront.
The best server-side PDF generator from those I tried was, so far, wkhtmltopdf, a WebKit-based, self-contained invisible browser that can render any HTML+CSS and generate a PDF from it. Reasonably fast and fairly reliable, has some useful PDF options, such as page size, orientation, etc.
The second part of the job in your case is to convert documents to HTML prior to feeding them to wkhtmltopdf. If possible, have your users upload the docs in HTML (Word and Co. can export (crappy) HTML). If this is not an option, you will have to find a tool just for that, which, in my opinion, is much easier than finding a tool that converts Word docs directly into PDF.
Good thing about wkhtmltopdf is also that you can feed the output of your PHP script to it using the ob_xxx() functions.
PHP Excel best simple way to create doc, docx, xls, xlsx, pdf files with PHP. Its lot easier with clear documentation.
Use Microsoft Office to render Microsoft Office documents, if you care about accuracy at all. This is easily done by invoking Office over COM.
Get access to your server, and install what you need. Doing so would be far easier than monkeying around with sub-par solutions.
Well... I can think of one way of doing it quite easily, but it doesn't involve using PHP.
Upload your documents to a folder on your server, that are browsable by your users.
EG: http://mysite.com/docs/
Then get your users to install a virtual printer driver such as Primo PDF
http://www.primopdf.com/index.aspx
then they can load the document into their browser, and print to PDF for offline browsing.
If this is not an option, and your dealing with office documents that conform to the openXML standard, you could attempt to parse the XML doc into a PHP page for display in the browser, then use JavaScript to trigger a print.
Unfortunately, it does still depend on your user having a PDF printer installed.
Alternatively, you could just load the docs natively, and print to your own PDF printer, then upload the PDF's to the web server for download.
I can't think of any easy way of doing this otherwise, without installing all sorts of different document parser tool-kits and doing a huge amount of behind the scenes work.
I allow PDF files to be uploaded to my site (PHP).
I would like to offer the ability to also allow .zip files which contain PDF files in directories so it is easier for users to simply zip a directory and upload one file instead of uploading multiple zip files individual.
For those of you who offer a .zip file upload feature to your (PHP) website, what are the technical, security, and other issues you have faced?
Be careful how you unpack the zip, you could find yourself consuming far more resources than you expected. Perhaps some setrlimit(2) resource limits before unpacking would be wise.
The unzip(1) utility has several nice safety features built in; the -^ command line option turns off control-character filtering, so make sure you don't touch this :) and the -: command line option allows stupid pathnames like ../../../../etc/passwd. Make sure you're on at least version 5.50, so that those stupid pathnames are forbidden by default. (And don't use that command line option. I mention the options just so you can more easily find the documentation for them. :)
If you use an API, make sure it has options to prevent both kinds of silly filenames.
Assuming the .zip gets unpacked eventually you would have to make sure the directory they get unpacked in is unreachable by the the clients' browsers (with .htaccess or by placing it outside the web root directory), and even in that case I'd still monitor the contents of the unpacked .zip to make sure they didn't contain anything that might prove harmful (php or other files run by the server, html spoofs).
Another issue is i guess the upload_max_filesize set in php.ini, you can make sure it can be set big enough to suit your purposes before you start coding.
edit: also read sarnold's answer ;)
AFAIK, php can handle zip files pretty efficiently. Difficulties/Issues that I can think of is, while accessing the file where We need to extract the zip first, and then retrieve the actual needed file. Due to that reason, extracting a zip, might consume additional amount of server time, depending on the size of the file itself.
Where As, during uploads, I do not suppose there is any difficulties or issues specially emphasized on zip types.