Cerex Posted April 6, 2007 Posted April 6, 2007 On my rented webserver, I have set up a simple PHP form to upload files into a folder on the website. The problem is, I would like to have the directory the files are loaded into stay clear of any index files (the Apache default is so delightfully simple). Because any file can be uploaded, anybody can upload a blank index.html file or an index file that redirects to oh say... homosexual pornography. I must say, my PHP skills are horrible, I am more of a Javascript kind of guy. This was pretty much patched together with snippets. Now, would there be any way to have PHP use a conditional statement to check the text in the upload form (your standard browse file and upload form), and either... A)Continue with the upload, or.. B)Redirect/echo/close the window depending on if the word "index" appears? Thanks in advance. Quote
Sparda Posted April 6, 2007 Posted April 6, 2007 Why do you want any one to be able to upload files to your server? That's just a very bad idea. Quote
cooper Posted April 6, 2007 Posted April 6, 2007 Ever considered placing an index.html that you do approve of in there, and then making the file read-only? Quote
Cerex Posted April 6, 2007 Author Posted April 6, 2007 Sparda> Yeah, I know it's a bit of a bad idea. But if I ignored all my bad ideas, I would never have any ideas at all. Cooper> I have considered another index file, and if I don't get this PHP thing figured out in a couple of hours, the lazy part of me will just go ahead and throw it in. Hm... is it possible to share variables between languages? I.E. PHP creates a variable and in the same script, could Javascript change that variable, then later in the script, have PHP call it again? Ah, and another reason I should probably not wimp out and figure out this PHP dilemma. It wouldn't be a bad idea to be able to filter certain file extensions such as .JS, .EXE, .HTML. sounds like it could be a nice bit of knowledge to have. Quote
Shaun Posted April 6, 2007 Posted April 6, 2007 http://www.php.net/manual/en/function.preg-match.php e.g. if (preg_match('/index/', $_FILES['file_upload']['name'])) { //do something } Quote
jool Posted April 6, 2007 Posted April 6, 2007 The "recommended" way of dealing with user uploaded files is to not let them decide what they are named on the server at all. Instead you give it a random name and then use a database of some sort to connect the filename to the actual file. Quote
Sparda Posted April 6, 2007 Posted April 6, 2007 I think you should protect this upload script with basic authentication. Quote
digip Posted April 6, 2007 Posted April 6, 2007 The "recommended" way of dealing with user uploaded files is to not let them decide what they are named on the server at all. Instead you give it a random name and then use a database of some sort to connect the filename to the actual file. I agree with Jool, although, you could just pad the file name with a time stamp so every file has a unique name and no chance of becoming index.html, it woudl be something like index-xx-xx-xxxx.html or whatver, but still, I think Jool has a good idea. Quote
lunex Posted April 7, 2007 Posted April 7, 2007 Hm... is it possible to share variables between languages? I.E. PHP creates a variable and in the same script, could Javascript change that variable, then later in the script, have PHP call it again? You do realize that there is a difference between server side and client side scripting. Right? And that you should never trust a value given by the client? I tried to find a page about it on W3Schools, but failed. Simply put: You can have PHP write a value for a JavaScript variable into the line where the variable is defined, but a post back must be made from the client to the server to get a value made by the JavaScript. Additionally: You should never treat a value returned by the client as being canon. "in the same script" Don't think of PHP and JavaScript as running the same script. The relation is more like the PHP script making a script to be run by JavaScript. It sounds like you're having trouble with PHP syntax. W3Schools.com and PHP.net should be able to help you. Specifically it sounds like you should read W3S's page on PHP's If...Else statements. Quote
theSmiler Posted April 8, 2007 Posted April 8, 2007 if(substr($_FILES['uploadedFile']['name'], 0, 5)=='index') { echo 'Error message'; //Or, alternatively, change the filename to something random } Quote
The_PHP_Jedi Posted May 20, 2007 Posted May 20, 2007 If you still need help, just let me know, hehe. Quote
cooper Posted May 20, 2007 Posted May 20, 2007 if(file_exists($_FILES['uploadedFile']['name']) == true) { echo 'Error message'; //Or, alternatively, change the filename to something random } Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.