Nån php-kunnig

Tråden skapades och har fått 9 svar. Det senaste inlägget skrevs .
1
  • Oregistrerad
  • 2005-11-09 14:44

Behöver ändra en grej i en php-fil, detta är en del av ett upload-script, jag behöver ändra så att ALLA filtyper är tillåtna, och helst att man istället kan förbjuda vissa filtyper. Nuvarande kod är:

//Allowable file Mime Types. Add more mime types if you want
$FILE_MIMES = array('image/jpeg','image/jpg','image/gif'
,'image/png','application/msword');

//Allowable file ext. names. you may add more extension names.
$FILE_EXTS = array('.zip','.jpg','.png','.gif','.jpeg','.sd2','sdII','.pdf','.aif','aiff','.sit','.sitx','.dmg','.wav','.mp3','avi','.mpg','.mpeg','.mp4','.doc','.doc');

  • Medlem
  • Göteborg
  • 2005-11-09 15:16

Du får visa koden där man kontrollerar typen först, det ovan säger inte så mkt....

mvh
b0bben

Håller med ovan talare.
Det du bör göra är att du inverterar if-satsen som godkänner filtyper idag och fyller de arrayer du skrev ovan med icke tillåtna filtyper.

  • Oregistrerad
  • 2005-11-09 17:18

Ok, sorry, har iiiingen koll på sånt här. Här är hela scriptet:

<?php
//vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
// You may change maxsize, and allowable upload file types.
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
//Mmaximum file size. You may increase or decrease.
$MAX_SIZE = 2000000;

//Allowable file Mime Types. Add more mime types if you want
$FILE_MIMES = array('image/jpeg','image/jpg','image/gif'
,'image/png','application/msword');

//Allowable file ext. names. you may add more extension names.
$FILE_EXTS = array('.zip','.jpg','.png','.gif');

//Allow file delete? no, if only allow upload only
$DELETABLE = true;

//vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
// Do not touch the below if you are not confident.
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/************************************************************
* Setup variables
************************************************************/
$site_name = $_SERVER['HTTP_HOST'];
$url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']);
$url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];

$upload_dir = "files/";
$upload_url = $url_dir."/files/";
$message ="";

/************************************************************
* Create Upload Directory
************************************************************/
if (!is_dir("files")) {
if (!mkdir($upload_dir))
die ("upload_files directory doesn't exist and creation failed");
if (!chmod($upload_dir,0755))
die ("change permission to 755 failed.");
}

/************************************************************
* Process User's Request
************************************************************/
if ($_REQUEST[del] && $DELETABLE) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n");
fclose($resource);

if (strpos($_REQUEST[del],"/.")>0); //possible hacking
else if (strpos($_REQUEST[del],$upload_dir) === false); //possible hacking
else if (substr($_REQUEST[del],0,6)==$upload_dir) {
unlink($_REQUEST[del]);
print "<script>window.location.href='$url_this?message=deleted successfully'</script>";
}
}
else if ($_FILES['userfile']) {
$resource = fopen("log.txt","a");
fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]"
.$_FILES['userfile']['name']." "
.$_FILES['userfile']['type']."\n");
fclose($resource);

$file_type = $_FILES['userfile']['type'];
$file_name = $_FILES['userfile']['name'];
$file_ext = strtolower(substr($file_name,strrpos($file_name,".")));

//File Size Check
if ( $_FILES['userfile']['size'] > $MAX_SIZE)
$message = "The file size is over 2MB.";
//File Type/Extension Check
else if (!in_array($file_type, $FILE_MIMES)
&& !in_array($file_ext, $FILE_EXTS) )
$message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
else
$message = do_upload($upload_dir, $upload_url);

print "<script>window.location.href='$url_this?message=$message'</script>";
}
else if (!$_FILES['userfile']);
else
$message = "Invalid File Specified.";

/************************************************************
* List Files
************************************************************/
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
if(!is_dir($file) && !is_link($file)) {
$filelist .= "<a href='$upload_dir$file'>".$file."</a>";
if ($DELETABLE)
$filelist .= " <a href='?del=$upload_dir".urlencode($file)."' title='delete'>x</a>";
$filelist .= "<sub><small><small><font color=grey> ".date("d-m H:i", filemtime($upload_dir.$file))
."</font></small></small></sub>";
$filelist .="<br>";
}
}

function do_upload($upload_dir, $upload_url) {

$temp_name = $_FILES['userfile']['tmp_name'];
$file_name = $_FILES['userfile']['name'];
$file_name = str_replace("\\","",$file_name);
$file_name = str_replace("'","",$file_name);
$file_path = $upload_dir.$file_name;

//File Name Check
if ( $file_name =="") {
$message = "Invalid File Name Specified";
return $message;
}

$result = move_uploaded_file($temp_name, $file_path);
if (!chmod($file_path,0777))
$message = "change permission to 777 failed.";
else
$message = ($result)?"$file_name uploaded successfully." :
"Somthing is wrong with uploading a file.";
return $message;
}

?>

<center>
<font color=red><?=$_REQUEST[message]?></font>
<br>
<form name="upload" id="upload" ENCTYPE="multipart/form-data" method="post">
Upload File <input type="file" id="userfile" name="userfile">
<input type="submit" name="upload" value="Upload">
</form>

<br><b>My Files</b>
<hr width=70%>
<?=$filelist?>
<hr width=70%>
<small><sup>Developed By
<a style="text-decoration:none" href="http://tech.tailoredweb.com">TailoredWeb.com</a>
</sup></small>
</center>

  • Medlem
  • 2005-11-09 17:35

if ( $_FILES['userfile']['size'] > $MAX_SIZE)
$message = "The file size is over 2MB.";
//File Type/Extension Check
else if (in_array($file_type, $FILE_MIMES)
&& in_array($file_ext, $FILE_EXTS) )

(Tar bort negationen (!) från in_array- raderna på två ställen.)

  • Oregistrerad
  • 2005-11-09 17:44
Ursprungligen av SirN:

if ( $_FILES['userfile']['size'] > $MAX_SIZE)
$message = "The file size is over 2MB.";
//File Type/Extension Check
else if (in_array($file_type, $FILE_MIMES)
&& in_array($file_ext, $FILE_EXTS) )

(Tar bort negationen (!) från in_array- raderna på två ställen.)

Jag testade att byta till din variant men det går ändå inte...

  • Medlem
  • 2005-11-09 18:07
Ursprungligen av pherson:

Jag testade att byta till din variant men det går ändå inte...

(Velar lite...) Byt ut && (och) mot || (eller) i if-satsen. Om filen har MIME-typ eller suffix som finns i någon av listorna ovan, så ska det neka. Annars godkänna.

  • Oregistrerad
  • 2005-11-09 18:26

Hemskt tacksam för din hjälp, men jag får det ändå att funka. (Kanske jag som är slut i huvudet)

Du menar alltså ändra:

==============
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
if(!is_dir($file) && !is_link($file)) {
$filelist .= "<a href='$upload_dir$file'>".$file."</a>";
if ($DELETABLE)
$filelist .= " <a href='?del=$upload_dir".urlencode($file)."' title='delete'>x</a>";
$filelist .= "<sub><small><small><font color=grey> ".date("d-m H:i", filemtime($upload_dir.$file))
."</font></small></small></sub>";
$filelist .="<br>";
}
}
=================

Till:

=================
$handle=opendir($upload_dir);
$filelist = "";
while ($file = readdir($handle)) {
if(!is_dir($file) || !is_link($file)) {
$filelist .= "<a href='$upload_dir$file'>".$file."</a>";
if ($DELETABLE)
$filelist .= " <a href='?del=$upload_dir".urlencode($file)."' title='delete'>x</a>";
$filelist .= "<sub><small><small><font color=grey> ".date("d-m H:i", filemtime($upload_dir.$file))
."</font></small></small></sub>";
$filelist .="<br>";
}
}
=================

eller?

Testade oxå att kombinera detta med och utan "!" i "if"

  • Medlem
  • 2005-11-09 18:30

Ähum, nej...

I avsnittet under...
* Process User's Request
...strax ovanför
* List Files

Så finns stycket...

//File Type/Extension Check
else if (!in_array($file_type, $FILE_MIMES)
&& !in_array($file_ext, $FILE_EXTS) )
$message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
else
$message = do_upload($upload_dir, $upload_url);

Där menar jag.

  • Oregistrerad
  • 2005-11-09 18:41

Du är ett GENI! Nu funkar det! TACK!

1
Bevaka tråden