PHP Tutorials: Security - File Uploading

wideload123 Says:

Aug 15, 2011 - You can check the mime type of the file, have a look at the mime_content_type function (and the recommendation on what to use instead of it). If you are hosting images, you can make sure that the file is an image by trying to load it using one of the imagecreatefrom*() functions.

wideload123 Says:

Aug 15, 2011 - Yeah this is me, I guess not everybody would know that.

ceewwb Says:

Aug 15, 2011 - I think Alex explain better than this guy but all this security tutorials are important and everyone should watch this. Now try to upload a file like this: " anyname.php%00.jpg ", this allow the upload in linux servers because the %00 deletes the .jpg. I dont know if your php upload code allows the upload of it but in some sites i tested and work.

macmaster4848 Says:

Aug 15, 2011 - @wideload123Lol.

wideload123 Says:

Aug 15, 2011 - This came up when I uploaded the version of this to my channel too, in theory what you say should work, but in practice php seems to validate the name given in $_FILES (a null byte is not allowed in a file name by the filesystem) meaning $_FILES['upload']['name'] contains the name of the file that will be written or something like that anyway. I tried for about half an hour to get it to work and was not able too, but if you can demonstrate it working I guess I need to re-record this ;)

ceewwb Says:

Aug 15, 2011 - I have here some websites that talk about it.pastebin[DOT]com/zJpdbbA9I don't know how to demonstrate that, because just work in some sites and i just know that works because i hacked into one website that i just could upload .jpg and gif extension and for example shell.php.jpg didnt worked and the only way was shell.php%00.jpg.I just said that way to you because sometimes it work and i don't know if is usually on the websites.

wideload123 Says:

Aug 15, 2011 - Okay, well null byte injection is somethign to be wary of, I did a video for Alex on this too (not sure if it is uploaded yet). Based on my testing I am pretty happy that this method does not have that problem.

xXZarlachXx Says:

Aug 15, 2011 - I have image upload for profile images, what I've done is that it saves the image as username.gif. So if anyone were to upload a image called "image.png" it would be renamed to their username.gif. So whatever file extension you upload it will be converted to a gif file. Is this secure enough?If I upload a php file it gets converted into a gif file and displays nothing but a white page.

wideload123 Says:

Aug 15, 2011 - Yeah, not using the original file name is also a good idea :)

RawRzCopteR Says:

Aug 15, 2011 - wouldn't it be much simpler to just use:$ext = end( explode(".",$fileName);

c0decub Says:

Aug 15, 2011 - yes

Cezarijus Says:

Aug 15, 2011 - jpg is not spelled wrong, its actually the format that was used for mac, and windows had jpeg. but now they boat support the two.

wideload123 Says:

Aug 15, 2011 - More or less the same, I generally alternate between using these two methods.

altu892 Says:

Aug 16, 2011 - Linux!!!!!!

daeheadshot Says:

Aug 16, 2011 - Linux FOR THE WIN!

mipfer Says:

Aug 16, 2011 - you can try phpinfo.php.jpgive tried that on some websites and it worked!it executes it as PHP..

Spelter Says:

Aug 16, 2011 - Hi, its not true that the server wont execute an image or serves it. It is your browser which makes the error.To ensure that you just getting images, you should:1) avoid external Loading via ht*p oder f*p2) ensure that the mime-type is allowed.from php netecho "php.gif " . mime_content_type('php.gif') . "\n";echo "test.php " . mime_content_type('test.php');it echos php.gif image/giftest.php text/plain....

Spelter Says:

Aug 16, 2011 - aaah, damn youtube :) i lost my newlines ;)so, basicly, you upload the file in an temp-folder, determine the mime-type, and if its not image/gif or image/jpg, delete it and stop the process with die("error in file"). Search for "php function mime-content-type" and you get the Manualpage from php net

ca2mca2m Says:

Aug 19, 2011 - we can explode the file name using "explode" function to see how many . in the file name and we can get the file extension from the result of explode function using "array_pop" function look how its work$ext = array_pop(explode(".", $_FILES["uploade"]["name"])); // if file's name is "Islam.gif" the result is "gif"

pestinha26 Says:

Aug 21, 2011 - hi adam,i been following your videos for a while now and i wanted to ask you about file upload with jquery.I have a form with text and file inputs. the validation is made through jQuery and everything works fine, except for the files. i cant seem to pass the file to php script.help?thank you =)

MrTechnikfan100 Says:

Aug 21, 2011 - Thank you very much

ncili Says:

Dec 5, 2011 - i use to wonder y no one on the whole internet has done a php video upload tutorial until i decided to try it myself and i can tell u all its because of the video player. i know u all like me have searched youtube and google for php video upload tutorial and its not there, ive been searching for years. i have emailed everyone on here who do these tutorials and have gotten no response. adding the video player and having it call the video to play is difficult and cant be done locally.

steve228uk Says:

Apr 6, 2012 - Would it not be easier and more secure to use the $_FILES['type'] to detect the mime type of the file?

Sindrenk Says:

May 25, 2012 - 7:50You say that it will check if the first parameter is in the second parameter. Doesn't that mean one could just name the file phpinfojpg.php, since jpg would still be in the second parameter.

Sindrenk Says:

May 25, 2012 - Nevermind, I just realised what your $ext really was.