PHP Uploaden werkt niet goed
Ik heb een site waarbij een upload systeem zit. Nu heb ik een probleem: ik kan zomaar PHP bestanden uploaden terwijl dat niet mag.
Mijn code:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?php
//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.
$ran = rand () ;
//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = rand () ;
$target = "./images/";
$target = $target . $ran2.$ran.$ext;
$target = $target . basename( $_FILES['uploaded']['name']) ;
//This is our limit file type condition
if ($_FILES['uploaded']['type'] == "text/php")
{
die("No PHP files<br>");
}
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
?>
//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.
$ran = rand () ;
//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = rand () ;
$target = "./images/";
$target = $target . $ran2.$ran.$ext;
$target = $target . basename( $_FILES['uploaded']['name']) ;
//This is our limit file type condition
if ($_FILES['uploaded']['type'] == "text/php")
{
die("No PHP files<br>");
}
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
?>
Afhankelijk van wat je wilt, is het sowieso handig om inderdaad op extensie van het bestand te kijken. Zie ook hier verder op phphulp, laatste week zijn er een aantal topics over geweest.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
include_once('need.php');
if ($_GET['actie'] == "avatar"){
//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.
$ran = rand () ;
//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = rand () ;
$target = "./img/userpics";
$target = $target . $ran2.$ran.$ext;
$target = $target . basename( $_FILES['uploaded']['name']) ;
//This is our limit file type condition
if (!$_FILES["file"]["type"] == "image/gif" or !$_FILES["file"]["type"] == "image/bmp" or !$_FILES["file"]["type"] == "image/png" or !$_FILES["file"]["type"] == "image/jpeg")
{
die("<div id='error'><h1>Alleen GIF, BMP, PNG en JPG/JPEG bestanden zijn toegelaten.</h1></div>");
}
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
//ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
else
{
echo "<div id='error'><h1>Er was een probleem bij het uploaden van het bestand.</h1></div>";
}
}
?>
include_once('need.php');
if ($_GET['actie'] == "avatar"){
//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.
$ran = rand () ;
//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = rand () ;
$target = "./img/userpics";
$target = $target . $ran2.$ran.$ext;
$target = $target . basename( $_FILES['uploaded']['name']) ;
//This is our limit file type condition
if (!$_FILES["file"]["type"] == "image/gif" or !$_FILES["file"]["type"] == "image/bmp" or !$_FILES["file"]["type"] == "image/png" or !$_FILES["file"]["type"] == "image/jpeg")
{
die("<div id='error'><h1>Alleen GIF, BMP, PNG en JPG/JPEG bestanden zijn toegelaten.</h1></div>");
}
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
//ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
else
{
echo "<div id='error'><h1>Er was een probleem bij het uploaden van het bestand.</h1></div>";
}
}
?>
En ik kan niets meer uploaden :S
voor de rest vergeet je
http://www.php.net/isset
$_FILES['file']['error']
en die controle op type is niet goed, gebruik
http://www.php.net/manual/en/function.finfo-open.php
of
http://www.php.net/manual/en/function.exif-read-data.php
hoewel je natuurlijk nooit voor de volle 100% erop kan vertrouwen maar het is in ieder geval beter dan wat je nu gebruikt.
Jij zegt:
als:
type is niet image/gif
OF
type is niet image/bmp
OF
type is niet image/png
dan doodgaan
Dat is dus altijd. Als de type image/gif is, dan is het niet image/bmp, en dan stopt het script.
Je moest dus AND gebruiken.
Met type kun je niks, controleer liever op extensie.