php upload q
- Started
- Last post
- 9 Responses
- kinetic
ive got a decent upload script for uploading multiple files going..but im having trouble getting .txt files in there but not .php files (dont want people uploading scripts to my server ;)
so..
$extension = $_FILES['userfile']['type'][$i];
if (strstr($extension,"jpeg")) {
$extension=".jpg";
} else if (strstr($extension,"text/plain... {
$extension=".txt";
} else {
echo "That type of file is not allowed.";
echo "Retry";
exit;
}the top works fine...it will only let in jpgs
if i upload a php file and echo the type it comes back as text/plain. so im not really sure how i can let them only upload text files.
help is much appreciated
thanks :)
- CAJTBr0
well the last time i used php was about 18 months ago, but i'll have a shot anyway.
i'd guess what's happening is that because php files are text files, doing a strstr for text/plain on the type is always going to return something. i don't understand why you're doing that anyway, why not just strstr the filename on its own rather than filename and file type?
i may be reading it wrong, but i'd do that.
- kjensen0
That's just what I was gonna say. Search the filename for the string, not the type. Make sure you search the real name not the tmp name.
- unknown0
get that php bb script its a synch
- kinetic0
thats a good idea.
ill do a strstr on the filename and if it contains php i wont accept.
so obvious...not sure why i didn't think of it ;)
thanks
- kappa0
As long as the file extension isn't '.php' (or however you have apache configured) when you save the file, it won't parse the php anyway, so what's the trouble?
If you really want to make sure nobody is uploading PHP scripts, match "<?php" on the uploaded file contents, if it finds a match, reject the upload.
- kinetic0
it wont parse it no..
but if they have the ability to upload it...they have the ability to run it from their browser once the file reaches a public place
- kappa0
no -- parse == run, and if the filename ends in ".txt" it won't parse, it'll display as text, unless your server is misconfigured.
- CAJTBr0
i assumed he knew that kappa. he was trying to allow people to upload files with a .txt extension, but not allow those with .php right?
- kinetic0
yea, that's right
the way i had it...it was letting in both