Check Errors Before Uploading PHP

[wolfgang1983]

I can upload multiple files OK but I would like to know where is best to set up errors so can check if file extension is allowed and also correct file size. I use $this->error[‘warning’] = ‘message’;

“`
protected function validateForm() {
$this->load->library('request');

$file_path = FCPATH .'upload/';
$file_name = $this->request->files['file']['name'];
$file_tmp = $this->request->files['file']['tmp_name'];
$file_type = $this->request->files['file']['type'];
$file_size = $this->request->files['file']['size'];
$file_error = $this->request->files['file']['error'];
$file_ext_allowed = array('png', 'gif', 'ico');
$file_max_size = 3000;

if (is_dir($file_path)) {

for ($i= 0; $i < count($file_tmp); $i++) {
move_uploaded_file($file_tmp[$i], $file_path . $file_name[$i]);
}

} else {

$this->error['warning'] = 'Your upload path<b>'.' '.$file_path.' '.'</b>could not be found!';

}

return !$this->error;
} “`

[wolfgang1983]

I have $_Files its in my library class have cleaned files doing it this way. And I can still upload but want to set some errors up as said.

[Anonymous]

Never allow uploaded files to be executed as scripts. Among other things, this means you cannot store them in a directory that is publicly accessible and also executes php scripts. Never use the submitted filename as the filename on your filesystem.

This piece of advice should be imprinted on the minds of everyone and anyone who includes any code that allows importing of files. If a script can be uploaded and executed, you may as well hand out your ftp credentials.

Irresponsible to the point of negligence.

If you don’t understand how to ensure your code is safe against this sort of attack, either pay someone who does or lose the feature.

[shaneisme]

I find it good to check the following, with caveats below:

1) File extension
2) MIME type
3) File size

Both 1 & 2 can be faked, but I check them for use-cases where the uploader isn’t doing anything malicious and provide helpful error messages.

Now that you know those can be faked, and by what everyone has said so far about security, you’ll know that accepting uploaded files from the wild is a dangerous prospect.

At the very least, you shouldn’t believe anything that happens in your $_FILE object.

Use the built-in functions and methods PHP has to move files around once they’re uploaded. Rename the file using a random string, storing the original in your DB. Move the file into a folder that is above the application, out of reach of anyone that would want to access it (if they could find out the new random file name).

Even this is the bare minimum…

[Taufik Nurrohman]

PHP already has its own error codes. You can use them to cancel a file upload if it is happened:

if(isset($_FILES) && ! empty($_FILES)) {

    $target = $_FILES['foo']; // from `<input type="file" name="foo">`

    $errors = array(
        0 => 'There is no error, the file uploaded with success.',
        1 => 'The uploaded file exceeds the upload_max_filesize directive in php.ini',
        2 => 'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form.',
        3 => 'The uploaded file was only partially uploaded.',
        4 => 'No file was uploaded.',
        5 => '?',
        6 => 'Missing a temporary folder.',
        7 => 'Failed to write file to disk.',
        8 => 'A PHP extension stopped the file upload.',
    );

    // Check common errors
    if($target['error'] > 0 && isset($errors[$target['error']])) {
        exit($errors[$target['error']]);
    }

    // Check accepted file extensions
    $ext = strtolower(pathinfo($target['name'], PATHINFO_EXTENSION));
    $ext_accepted = array('gif', 'jpg', 'jpeg', 'png');
    if( ! in_array($ext, $ext_accepted)) {
        exit('Extension <code>' . $ext . '</code> is not allowed.');
    }

    // Other error checks ...

    // Proccess upload!

}

[Author]

Posts