Presentation is loading. Please wait.

Presentation is loading. Please wait.

Uploading in PHP CPTE 212 2/24/2015 John Beckett.

Published byJennifer Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "Uploading in PHP CPTE 212 2/24/2015 John Beckett."— Presentation transcript:

1 Uploading in PHP CPTE 212 2/24/2015 John Beckett

2 PHP Upload Process Special form that passes $_FILES autoglobal array Upload file is placed in temporary location Your program may move it to a target location

3 But First – What files are there? // Looking in our own directory $Dir = "."; $DirOpen = opendir($Dir); while ($CurFile = readdir($DirOpen)) { echo $CurFile. " \n"; }

4 You Need a Form <form method="POST" action= enctype="multipart/form-data"> Select file:

5 Where is the File? It was uploaded to the /tmp directory print " "; print_r($_FILES); print " "; Array ( [uplfile] => Array ( [name] => Uploading in PHP.pptx [type] => application/vnd.openxmlformats-officedocument.presentationml.presentation [tmp_name] => /tmp/phpkEARuN [error] => 0 [size] => 44491 ) print " The file we are uploading is named:". $_FILES["uplfile"]["name"]. " ";

6 print "Moving:". $_FILES["uplfile"]["tmp_name"]. " "; print "We will place it at:". "myfiles/". $_FILES["uplfile"]["name"]. " "; if(move_uploaded_file($_FILES["uplfile"]["tmp_name"], "myfiles/". $_FILES["uplfile"]["name"])) { print "Appears to be successfully uploaded"; } else { print "Could not upload for some reason"; } Checking first Move Typical problems: Target directory does not have permissions for www-user to write Failed to give full filespec for destination The file we are uploading is named:Uploading in PHP.pptx Moving:/tmp/phpkEARuN We will place it at:myfiles/Uploading in PHP.pptx Appears to be successfully uploaded

7 Uploading a file <?php // Code adapted from textbook, page 239 $Dir = "."; // Looking in our own directory $DirOpen = opendir($Dir); while ($CurFile = readdir($DirOpen)) { echo $CurFile. " \n"; } closedir($DirOpen); ?> <form method="POST" action= enctype="multipart/form-data"> Select file: <?php if (isset($_FILES["uplfile"])) { print " The file we are uploading is named:". $_FILES["uplfile"]["name"]. " "; print "Moving:". $_FILES["uplfile"]["tmp_name"]. " "; print "We will place it at:". "myfiles/". $_FILES["uplfile"]["name"]. " "; if(move_uploaded_file($_FILES["uplfile"]["tmp_name"], "myfiles/". $_FILES["uplfile"]["name"])) { print "Appears to be successfully uploaded"; } else { print "Could not upload for some reason"; } print " "; print_r($_FILES); print " "; } ?>

8 Defcon Levels How dangerous is this? Green – Informational site only Beware of non-visible files Beige – Use client input to structure queries Possible SQL injection Protect by limiting SQL view to “read only” mode Yellow – Use client input to accept data for database Possible SQL injection Protect by sanitizing SQL Red – File uploads Could upload executable files Protect by using separate directory Protect by moderating before posting Could fill up your hard drive

9 HW07 Protection Methods How do we make uploads safe? Your HW server site requires.htaccess authentication with a password for any access In a production system you might require a login for upload capability, otherwise someone could fill your disk Your program will only load files with extensions from a “whitelist” The list doesn’t include anything executable like.php Uploaded files must be approved before they are available from the “library.” In a production system this step would require an admin login of some sort

10 HW07 Development - 1 Set up uploads and library directories Pre-load some sample files using FileZilla Write the directory-display part Show files in both directories Set up.htaccess as indicated in the textbook print_r($_FILES) to observe the autoglobal array Add the file upload form Make sure you are getting the correct info in $_FILES Add code to delete files from the uploads directory

11 HW07 Development - 2 Add the “Approve” function code Copy the file to the library directory If it went OK, delete from the uploads directory Add code to make sure the file is of a permitted type Use pathinfo() to get the extension Add code to rename the file to the uploads directory Add code to move a file to the library Test all the functionality You’ll have to manually delete files from the library Comment-out your print_r sequences

12 Is This File OK to Upload? Read the filetypes file into a variable using file() This gives you an array Get the file name $guilty=true; Walk through the filetypes array with foreach() If you find a match, set $guilty=false If ($guilty==false) { Capture the file with the rename function

13 Denying directory access You don’t want people to be able to look at the uploads directory just by pointing a browser there. Two methods (either will work) 1.Use.htaccess. Just save a text file in the directory with this line: Options –Indexes 2.Create an index.html file that sends the visitor where you want, or just gives an error message This method requires specific configuration of the Web server! Obscures file names, but doesn’t prevent access

Download ppt "Uploading in PHP CPTE 212 2/24/2015 John Beckett."

Similar presentations

» PHP arrays are lists of values stored in key-value pairs. » Uses of arrays: Many built-in PHP environment variables. Database functions use arrays.

» PHP arrays are lists of values stored in key-value pairs. » Uses of arrays: Many built-in PHP environment variables. Database functions use arrays.
JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
PHP and the Web: Session : 4. Predefined variables PHP provides a large number of predefined global variables to any script which it runs also called.

PHP and the Web: Session : 4. Predefined variables PHP provides a large number of predefined global variables to any script which it runs also called.
NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.

NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.
CSC 2720 Building Web Applications PHP File Upload.

CSC 2720 Building Web Applications PHP File Upload.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Tutorial 5 Downloading and Storing Data. XP Objectives Learn what FTP is and how it works Explore how to use a Web browser to transfer files Navigate.

Tutorial 5 Downloading and Storing Data. XP Objectives Learn what FTP is and how it works Explore how to use a Web browser to transfer files Navigate.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Email By Laura Trawin.

By Laura Trawin.
Uploading Files. Why? By giving a user the option to upload a file you are creating an interactive page You can enable users have a greater web experience.

Uploading Files. Why? By giving a user the option to upload a file you are creating an interactive page You can enable users have a greater web experience.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
8/16/2015alicewebmaster1 Create contents with the new Content Management System (Drupal): Workflow for page editors.

8/16/2015alicewebmaster1 Create contents with the new Content Management System (Drupal): Workflow for page editors.
Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.

Today’s Agenda Chapter 12 Admin Tasks Chapter 13 Automating Admin Tasks.
PHP Security.

PHP Security.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Create Your Own Webpage. Fun with images Today we’ll cover –Working with images Including an image on your page Making the image a link Editing images.

Create Your Own Webpage. Fun with images Today we’ll cover –Working with images Including an image on your page Making the image a link Editing images.

Similar presentations

Ads by Google