Member Avatar for Sorcher

Greetings!
Anyone here who can correct my code?
I'm abit noob to PHP, just started learning.
The Ban file function of mine does the echo but it wont stop the file upload. Any idea? have i inplented it wrong or do i miss a line?
Love you long time if you correct it.. +1 !

//Ban file if executable!
   $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml");
    foreach ($blacklist as $item) 
    {
    if(preg_match("/$item\$/i", $_FILES['uploaded_file']['name'])) 
    {
    echo "ERROR: Uploading executable files Not Allowed\n";
    exit;
    }
    }

Here is the complete script.

<?php
// Check if a file has been uploaded
if(isset($_FILES['uploaded_file'])) {
    // Make sure the file was sent without errors
    if($_FILES['uploaded_file']['error'] == 0) {
        // Connect to the database
        $dbLink = new mysqli('xxxxxx', 'xxxxxx', 'xxxxxx', 'xxxxxx');
        if(mysqli_connect_errno()) {
            die("MySQL connection failed: ". mysqli_connect_error());
        }
 $userid = $_SESSION['loginid']; //login session
$target = "inc/user_images/".$userid."_"; 
$target = $target . basename( $_FILES['uploaded_file']['name']); 
        // Gather all required data
 
        $name = $dbLink->real_escape_string($_FILES['uploaded_file']['name']);
        $mime = $dbLink->real_escape_string($_FILES['uploaded_file']['type']);
     // delete this line   $data = $dbLink->real_escape_string(file_get_contents($_FILES  ['uploaded_file']['tmp_name']));
        $size = intval($_FILES['uploaded_file']['size']);
 
        // Create the SQL query
       //add userid to your database delete the data entity.
        $query = "
            INSERT INTO `userfile` (
              `userid`,  `name`, `mime`, `size`, `created`
            )
            VALUES ('{$userid}',
                '{$name}', '{$mime}', {$size}, NOW()
            )";
 
        // Execute the query
        $result = $dbLink->query($query);
		
 //Ban file if executable!
   $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml");
    foreach ($blacklist as $item) 
    {
    if(preg_match("/$item\$/i", $_FILES['uploaded_file']['name'])) 
    {
    echo "ERROR: Uploading executable files Not Allowed\n";
    exit;
    }
    }
 
        // Check if it was successfull
        if($result) {
            move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $target);
            echo 'Success! Your file was successfully added!';
        }
        else {
            echo 'Error! Failed to insert the file'
               . "<pre>{$dbLink->error}</pre>";
        }
    }
    else {
        echo 'An error accured while the file was being uploaded. '
           . 'Error code: '. intval($_FILES['uploaded_file']['error']);
    }

    // Close the mysql connection
    $dbLink->close();
}
else {
    echo 'Error! Your file was not sent!';
}
 
// Echo a link back to the main page
echo '<p>Click <a href="index.php">here</a> to go back!</p>';
?>
  • 3 Contributors
  • 3 Replies
  • 215 Views
  • 12 Hours Discussion Span
  • Latest Post Latest Post by Sorcher
Member Avatar for =OTS=G-Man

Well you wont be able to stop the upload itself, because it is sent with the POST. But from the looks of your script, Just need to rearrange it so that you can stop from saving script files.

Think you should do the ban check first before adding the entry to the database, then all you will have to do on a fail it delete the temp uploaded items.

Edited by =OTS=G-Man because: n/a
Member Avatar for nonshatter

You can have a look at this function I used a while ago to determine the file extension:

//--- DETERMINES IMAGE EXTENSION ---//
function getExtension($str) {
	$i = strrpos($str,".");
		if (!$i) {
			return "";
		}
	$l = strlen($str)-$i;
	$exten = substr($str,$i+1,$l);
	return $exten;
}

                $errors = 0;
                $filename = stripslashes($_FILES['image']['name']);
                $extension = getExtension($filename);
		$extension = strtolower($extension);
			
		if (($extension == "php") || ($extension == "phtml") || ($extension == "html") || ($extension == "js")) {
			$errors = 1;
			echo 'wrong extension';
		}
                if($errors >= 1) {
			echo 'There was a problem';
                        die(1);
		}

I can post the whole thing if you need it - it might make more sense that way. Just let me know :D

Edited by nonshatter because: n/a
commented: Ask him for help and google will look bad! +1
Member Avatar for Sorcher

Thanks allot Nonshatter :) got this working now!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.