0

Greetings!
Anyone here who can correct my code?
I'm abit noob to PHP, just started learning.
The Ban file function of mine does the echo but it wont stop the file upload. Any idea? have i inplented it wrong or do i miss a line?
Love you long time if you correct it.. +1 !

//Ban file if executable!
   $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml");
    foreach ($blacklist as $item) 
    {
    if(preg_match("/$item\$/i", $_FILES['uploaded_file']['name'])) 
    {
    echo "ERROR: Uploading executable files Not Allowed\n";
    exit;
    }
    }

Here is the complete script.

<?php
// Check if a file has been uploaded
if(isset($_FILES['uploaded_file'])) {
    // Make sure the file was sent without errors
    if($_FILES['uploaded_file']['error'] == 0) {
        // Connect to the database
        $dbLink = new mysqli('xxxxxx', 'xxxxxx', 'xxxxxx', 'xxxxxx');
        if(mysqli_connect_errno()) {
            die("MySQL connection failed: ". mysqli_connect_error());
        }
 $userid = $_SESSION['loginid']; //login session
$target = "inc/user_images/".$userid."_"; 
$target = $target . basename( $_FILES['uploaded_file']['name']); 
        // Gather all required data
 
        $name = $dbLink->real_escape_string($_FILES['uploaded_file']['name']);
        $mime = $dbLink->real_escape_string($_FILES['uploaded_file']['type']);
     // delete this line   $data = $dbLink->real_escape_string(file_get_contents($_FILES  ['uploaded_file']['tmp_name']));
        $size = intval($_FILES['uploaded_file']['size']);
 
        // Create the SQL query
       //add userid to your database delete the data entity.
        $query = "
            INSERT INTO `userfile` (
              `userid`,  `name`, `mime`, `size`, `created`
            )
            VALUES ('{$userid}',
                '{$name}', '{$mime}', {$size}, NOW()
            )";
 
        // Execute the query
        $result = $dbLink->query($query);
		
 //Ban file if executable!
   $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml");
    foreach ($blacklist as $item) 
    {
    if(preg_match("/$item\$/i", $_FILES['uploaded_file']['name'])) 
    {
    echo "ERROR: Uploading executable files Not Allowed\n";
    exit;
    }
    }
 
        // Check if it was successfull
        if($result) {
            move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $target);
            echo 'Success! Your file was successfully added!';
        }
        else {
            echo 'Error! Failed to insert the file'
               . "<pre>{$dbLink->error}</pre>";
        }
    }
    else {
        echo 'An error accured while the file was being uploaded. '
           . 'Error code: '. intval($_FILES['uploaded_file']['error']);
    }

    // Close the mysql connection
    $dbLink->close();
}
else {
    echo 'Error! Your file was not sent!';
}
 
// Echo a link back to the main page
echo '<p>Click <a href="index.php">here</a> to go back!</p>';
?>
3
Contributors
3
Replies
4
Views
6 Years
Discussion Span
Last Post by Sorcher
0

Well you wont be able to stop the upload itself, because it is sent with the POST. But from the looks of your script, Just need to rearrange it so that you can stop from saving script files.

Think you should do the ban check first before adding the entry to the database, then all you will have to do on a fail it delete the temp uploaded items.

Edited by =OTS=G-Man: n/a

1

You can have a look at this function I used a while ago to determine the file extension:

//--- DETERMINES IMAGE EXTENSION ---//
function getExtension($str) {
	$i = strrpos($str,".");
		if (!$i) {
			return "";
		}
	$l = strlen($str)-$i;
	$exten = substr($str,$i+1,$l);
	return $exten;
}

                $errors = 0;
                $filename = stripslashes($_FILES['image']['name']);
                $extension = getExtension($filename);
		$extension = strtolower($extension);
			
		if (($extension == "php") || ($extension == "phtml") || ($extension == "html") || ($extension == "js")) {
			$errors = 1;
			echo 'wrong extension';
		}
                if($errors >= 1) {
			echo 'There was a problem';
                        die(1);
		}

I can post the whole thing if you need it - it might make more sense that way. Just let me know :D

Edited by nonshatter: n/a

Votes + Comments
Ask him for help and google will look bad!
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.