#1
  1. /*
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2007
    Location
    Sydney, Australia
    Posts
    729
    Rep Power
    620

    Uploade File Handling


    Hi folks,

    I was wondering if any devsheder's can reccomend a library or solution for handling file uploads in php.

    In my case I am receiving user uploaded files using multipart/form-data post data from flash and accessing the file via the $_FILES super global.

    I want to be able to virus check and validate the file types.

    thanks
    Ben
    */
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    Any decent virus scanner will have already scanned the files as they were being uploaded, or at least when PHP tried to access them. Otherwise it's just a matter of using the right exec/system function to call the right command-line scanner with the right arguments.

    Validate file types? Most people are content to check extension, but if you want to look inside the file then it's trivial to write one yourself. Really. It's simple.
    PHP Code:
    $h fopen($_FILES["file"]["tmp_name"], "rb");
    $data fread($h10);

    if (
    strncmp($data"\x25\x50\x44\x46\x2D\x31\x2E"7) == 0/* is a PDF */;
    if (
    strncmp($data"\xFF\xD8\xFF"3) == 0/* is a JPEG */;
    // next line isn't supposed to wrap - blame devshed for that
    if (strncmp($data"\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00"9) == 0/* is a DOC */;
    if (
    strncmp($data"\x4D\x5A"2) == 0/* is a DLL */;
    // ... 
    I get those character sequences from http://filext.com.

    Comments on this post

    • benno32 agrees : Nice one!
    • holodoc agrees
    Last edited by requinix; April 16th, 2009 at 08:49 AM.
  4. #3
  5. /*
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2007
    Location
    Sydney, Australia
    Posts
    729
    Rep Power
    620
    Thanks champion,

    I didn't want to just check the file extension or mime type so I used your method. In my case I only want gif's,jpg's and png's so I added the extra couple of binary checks using the database you posted.

    All three image types made it through the filter, next I tried putting through a text file called text.txt which I had renamed it to text.gif. It did not get through.

    I would have spent a long time trying to figure this out! I owe you a favour.

    Thanks again

    P.S I like the idea of passing the buck for checking viruses to anti virus software on the server.
    */
  6. #4
  7. Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2008
    Location
    North Carolina
    Posts
    2,674
    Rep Power
    2674
    While requinix gave what I think is the best solution, there are a couple things in PHP that may help you.

    mime_content_type()
    fileinfo functions

    Comments on this post

    • holodoc agrees
    • benno32 agrees
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    I didn't want to just check the file extension
    You need to check the file extension as well. There is nothing stopping me from putting a gif header at the start of a PHP file, uploading it to your server and then being able to execute arbitrary PHP code on your website. PHP won't care if there is a random gif header at the start of the file, it will still execute PHP code inside of the file if the file has a .php extension.

    Comments on this post

    • simshaun agrees
    • ryon420 agrees
    • benno32 agrees : Yes true. Fair enough.
  10. #6
  11. /*
    Devshed Novice (500 - 999 posts)

    Join Date
    Mar 2007
    Location
    Sydney, Australia
    Posts
    729
    Rep Power
    620
    Originally Posted by simshaun
    While requinix gave what I think is the best solution, there are a couple things in PHP that may help you.

    mime_content_type()
    fileinfo functions
    Thanks simshaun,

    In my case I am using Flash to upload files and it always sends the mime type application/octet-stream no matter what type of file is being used unfortunately.
    */

IMN logo majestic logo threadwatch logo seochat tools logo