0
How can I protect sending php files against shell script, knowing that I only accept one type of extension.
0
How can I protect sending php files against shell script, knowing that I only accept one type of extension.
3
Instead of checking the extension you can check the contents using the PHP API called fileinfo, as I showed in this reply /a/73497/3635
Note that in PHP5.3 (although rare some servers still use it) we did not have
Fileinfo
, but we hadmime_content_type
(in the documentation does not speak if it is in disuse), so I put as fallback, if a function is available use it, if it does not try the oldest, however both always see enabled.
Example:
<?php
function mimeType($file)
{
$mimetype = false;
if (class_exists('finfo')) {//PHP5.4+
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimetype = finfo_file($finfo, $file);
finfo_close($finfo);
} else if (function_exists('mime_content_type')) {//php5.3 ou inferiror
$mimetype = mime_content_type($file);
}
return $mimetype;
}
//Libere aqui os tipos permitidos
$validos = array( 'image/jpeg', 'image/png', 'image/gif', 'text/plain' );
$location = 'uploads/';
$arquivo = $_FILES['file'];
if ($arquivo) {
$name = $arquivo['name'];
$tmp_name = $arquivo['tmp_name'];
if ($_FILES['file']['error'] !== UPLOAD_ERR_OK) {
echo 'Erro ao fazer o upload:', $error;
} else {
//Pega o mimetype
$mimeType = mimeType($tmp_name);
//Checa o mimetype com o array
if (!in_array($mimeType, $validos)) {
echo 'Formato de arquivo invalid';
} elseif (move_uploaded_file($tmp_name, $location . $name)) {
echo 'Upload completo';
}
}
}
Browser other questions tagged php file-upload shell shell-script
You are not signed in. Login or sign up in order to post.
thank you very much friend :)
– Jefferson Mello Olynyki
OK I’ll test now in the morning
– Jefferson Mello Olynyki
I believe that you are not getting the mime properly, always falls into the function saying that it is invalid, even being a file allowed
– Jefferson Mello Olynyki
Ué retorno: bool(false)
– Jefferson Mello Olynyki
Let’s go continue this discussion in chat.
– Jefferson Mello Olynyki
I believe you do not have mime type in version 5.2 of php
– Jefferson Mello Olynyki
I’m changing the script to newer verses, it’s very old has many deprecated functions, I’m updating, so I will use fileinfo even
– Jefferson Mello Olynyki
yes are old functions same, eregi ereg, variables displayed as Undefined, but I am already adjusting, it is better even than being limited, the scripts were created in 2006 :)
– Jefferson Mello Olynyki
http://pastebin.com/k6xdEswX
– Jefferson Mello Olynyki
@Jeffersonmelloolynyki has not used php5.2 for a while, but he tries to remove the
;
of this line;extension=php_mime_magic.dll
leaving soextension=php_mime_magic.dll
and restarts Apache/Wamp/Xampp and see if it works– Guilherme Nascimento