Problem in uploading a file

General PHP Help
#1

This is the form code,

<form name="cv" action="uploadcv.php" enctype="multipart/form-data" method="post" > Roll#: <input type="text" name="txtroll"/> <br/><br/> CV Upload: <input type="file" name="file" /> <br/><br/> <input type="submit" name="submit" /> <input type="reset"/> <br/><br/> </form>
and this is php code
[php]

<?php mysql_connect("localhost","root",""); mysql_select_db("student"); $rollno=$_POST["txtroll"]; $target_path = "upload/"; $target_path = $target_path . basename( $_FILES['file']['name']); if(move_uploaded_file($_FILES['file']['tmp_name'], $target_path)) { echo "The file ". basename( $_FILES['file']['name']). " has been uploaded
"; } else { echo "Error in uploading the file, please try again!"; } $query="INSERT INTO upload(roll,file) VALUES($rollno,'$target_path')"; mysql_query($query); echo"Information is Updated
"; echo mysql_error(); ?>[/php]

1 >>> the problem is when I uploaded a file less than 1000kb that was uploaded and when a file greater than 1000 or 2000 kb that was not upload , n even I dont write the condition over there???

2 >>> I want to restrict this code to upload only ‘pdf’ and word document file and the file size is less that 2000kb?? which code is for this and how put in my code??

please help me …
THANK YOU!

#2

Hi ubaid,

Try the following php code:[php]<?php
mysql_connect(“localhost”,“root”,"");
mysql_select_db(“student”);

$rollno=$_POST[“txtroll”];

$target_path = ‘upload/’;
$filename = $_FILES[‘file’][‘name’];
$destPathFile = $target_path.basename($filename);
$fileExt = substr($filename,-4);

$extentions = array(’.pdf’,’.doc’);
$filetypes = array(‘application/pdf’,‘application/msword’);
$maxSize = 2048000; // 2kb

if(empty($_FILES)) // Most likely the user didn’t choose a file, or php did not allow the upload (check your php.ini file)
{
$errors[] = ‘No file was submitted, or file upload was blocked by php configuration’;
}
if($_FILES[‘file’][‘error’] > 0) // A php error was returned
{
$errors[] = 'File upload lead to the following error: '.$_FILES[‘file’][‘error’];
}
if($_FILES[‘file’][‘size’] > $maxSize) // The file was too large
{
$errors[] = ‘File too large’;
}
if(!empty($filetypes) && !in_array($_FILES[‘file’][‘type’],$filetypes)) // The filetype was not acceptable. DO NOT TRUST THIS TECHNIQUE IF FILE TYPE IS TRULY CRITICAL
{
$errors[] = ‘Wrong file type’;
}
if(!empty($extentions) && !in_array(substr($filename,-4),$extentions)) // The file extention was not acceptable.
{
$errors[] = ‘Wrong file extention’;
}

if(!isset($errors) && file_exists($destPathFile)) // No other errors, but file already exists
{
$errors[] = “Could not save file, $filename already exists.”;
}
else
{
move_uploaded_file($_FILES[‘file’][‘tmp_name’],$destPathFile);
if(!file_exists($destPathFile))
{
$errors[] = “Failed to save file as $destPathFile”;
}
else
{
// NOTE THIS NEEDS TO BE SANITIZED!
$query=“INSERT INTO upload(roll,file) VALUES($rollno,’$target_path’)”;
mysql_query($query);
echo ‘Information is Updated
’;
echo mysql_error();
}
}

if(isset($error)) echo “The following errors were encountered:
”.implode(’
’,$errors);

?>[/php]
You can will want to adjust the $extentions and $filetypes to match what you wish to allow. You can also remove them if you don’t want to limit them. If the filetype is critical, do not trust this method. It can easily be spoofed and you will need to look into better options!

You should also make sure that your php.ini file is not causing a problem. You can add the following to your php code to display the relevant configuration info:[php]phpinfo(INFO_CONFIGURATION);[/php]Among other possibilities, check the upload_max_filesize and post_max_size. Make sure that post_max_size is larger than upload_max_filesize and the upload_max_filesize is at least as large as the largest file you would like to allow.

IMPORTANT: You need to sanitize your query! There are many articles online about this. I was going to link one; however, the forum is not allowing the including of links within posts at this time.

You will obviously want to adjust the above code to work with your application. Let me know if it doesn’t work or if you need help adjusting it.

#3

The file type is already contained in $_FILE[‘file’][‘type’], and doing it like what was suggested can easily be faked.
This is how i took care of checking the file type
[php]
$permitted = array(‘image/jpeg’, ‘image/pjpeg’);
foreach ($permitted as $img_type) {
if ($img_type == $_FILES[‘pic’][‘type’]) {
$typeOK = true;
break;
}
}[/php]
And i did the max size like this
[php]
// in top of file
define(‘MAX_FILE_SIZE’, 524288);

if($_FILES[‘pic’][‘size’] > 0 && $_FILES[‘pic’][‘size’] <= MAX_FILE_SIZE) {
$sizeOK = true;
}[/php]
The file size is in bytes.

#4

Richei,

I did point out this vulnerability … “If the filetype is critical, do not trust this method. It can easily be spoofed and you will need to look into better options!”

I have used other techniques (MIME type, etc.) in the past. I am trying to understand how the example code you posted is more secure, it seems to be identical in function. (If it is more secure, I would start using it in some of my existing code that is currently vulnerable but not critical) I should mention that the code I presented is not something I am using as presented, but I wanted to be as thorough as possible for the benefit of the op.

Also, I have read a couple of articles comparing straight constants to straight variables and, while trivial in this situation, the variables were faster. Is there a reason you prefer to define the file size as a constant, or is it just a coding preference? If there is a functional advantage, I will start using more constants.

#5

No method is super secure. If you know what you’re doing, the file type can easily be faked, i’ve done it a few times to test some upload scripts i was working on. But if the information is already there, why waste time writing extra code when you don’t have to?

Sponsor our Newsletter | Privacy Policy | Terms of Service