I'm really just learning PHP. I've used it for a few minor things on <edited>, but nothing significant. On Friday I wrote a little script to display all the files in the current directory as well as let me upload a file to the directory. (Yes, I know I could've downloaded something, but I wouldn't have learned anything that way!) It's at <filename edited>.

Currently you can overwrite any file there. I need to find a way to prevent that. I'm thinking I can use a regular expression to parse the filename out, add/append a number to the file name, then write that.

Comments?

what about checking the directory with the script and if a file with the same name exists, append a # or other identifier for the upload.

I'm not really up on PHP but would you use a fopen to try to open the file named and then add an identifier if an error is returned?

http://us4.php.net/manual/en/function.file-exists.php

Originally posted by dbmasters@Apr 12 2004, 10:23 AM
http://us4.php.net/manual/en/function.file-exists.php
Cool! That will work!

I'm looking to learn PHP in the near future....congrats on venturing out.

I am a PHP god!
Ok, maybe not. But I'm learning. I've made <filename edited> sort the files alphabetically. As well, if you now upload a file whose name already exists, the new file gets renamed so nothing is overwritten! Go me!

A few warnings for you Dan:
1. It is a bad idea to make such file uploaders publically accessible.
2. For example, go to the following URL: http://<<pathedited>>/ss.php?e=index.php
Does that look familiar? It should. In the same way that I demonstrate the use of ss.php, imagine what could be done by a script that wipes out your entire site or databases. There is file named VEnna1.ram that has been uploaded. If you try to view deleteV.php (or deleteW.php) then it will be deleted.
3. Your MAX_FILE_SIZE is set in the html. Take a look at: nistime-32bit.exe it is 266843 bytes, in excess of the 70kB limit you set. Never set limits in the html that you don't have also set server-side in the php. I just modified the value of the hidden HTML form element to allow it to accept a larger upload.
4. There were more points, but as I was just distracted by an interruption, I am having trouble remembering what they were. I hope the aforementioned points are useful to you.

While I am happy for your progress, password protect that thing, or change the name and don't post it in the forums. Bad things can happen.

Congrats on your progress tho.

<filename edited>

:)

Thanks for the warnings and information, guys. I appreciate it. I hadn't given much thought to security, though I did refer to my PHP Programming book and couldn't see anything super obvious to be concerned with.

Eugene, if that additional stuff you thought of pops into your head, I'd be happy to hear it. I know how I can set a "real" file size limit in the php code. I think I could also eliminate the concern of doing things like your deleteW.php file by only allowing files with certain extensions--is that true?

I've referred to php.net for lots of info... any other good places?

Dan

What exactly do you hope to accomplish? As a filemanager, you have done a good job, however, if your desire is to ultimately create a php script that can be used to store documents, then you really ought to take another approach. I have example code from similar projects that you are more than welcome to read through.

The general rule is that you always assume some hacker has access. Your job is to eliminate possible sources of abuse. Checking extensions is a good start, but it is not enough. For example, suppose that you make the script disable all .php files. A clever hacker or cracker could just upload a .htaccess file with instructions to apache to parse other non-.php files with the zend engine as well. All of a sudden, they could upload a file with an innocent name like "guidelines.pdf" or "guidelines.doc" which contained php code to wreak havoc on your account.

There are many other attacks to watch out for, and I have yet to see or read/hear of anyone using the aforementioned .htaccess attack (except me, of course :P ) in a proof of concept demonstration. :ph34r:

-Eugene
Perhaps I'd better strike the previous comment and how-to??? :unsure:

Originally posted by eugene@Apr 15 2004, 05:41 PM
What exactly do you hope to accomplish?
Aside from the security concerns, I guess I've met my immediate goal. The ultimate goal is to become a much more proficient programmer. I do a little with InstallShield Pro, but that's hardly useful for day-to-day work. Text manipulation and PDF-generation would be useful tools for me (both at work and play). So, here I am.

The purpose: when posting to forums I often want/need to display a screenshot or photo or whatever. Uploading via DA login or FTP is always quite a few clicks. This is quicker.

I appreciate the feedback.