Uploading in PHP CPTE 212 2/24/2015 John Beckett

PHP Upload Process Special form that passes $_FILES autoglobal array Upload file is placed in temporary location Your program may move it to a target location

But First – What files are there? // Looking in our own directory $Dir = "."; $DirOpen = opendir($Dir); while ($CurFile = readdir($DirOpen)) { echo $CurFile. " \n"; }

You Need a Form <form method="POST" action= enctype="multipart/form-data"> Select file:

Where is the File? It was uploaded to the /tmp directory print " "; print_r($_FILES); print " "; Array ( [uplfile] => Array ( [name] => Uploading in PHP.pptx [type] => application/vnd.openxmlformats-officedocument.presentationml.presentation [tmp_name] => /tmp/phpkEARuN [error] => 0 [size] => ) print " The file we are uploading is named:". $_FILES["uplfile"]["name"]. " ";

print "Moving:". $_FILES["uplfile"]["tmp_name"]. " "; print "We will place it at:". "myfiles/". $_FILES["uplfile"]["name"]. " "; if(move_uploaded_file($_FILES["uplfile"]["tmp_name"], "myfiles/". $_FILES["uplfile"]["name"])) { print "Appears to be successfully uploaded"; } else { print "Could not upload for some reason"; } Checking first Move Typical problems: Target directory does not have permissions for www-user to write Failed to give full filespec for destination The file we are uploading is named:Uploading in PHP.pptx Moving:/tmp/phpkEARuN We will place it at:myfiles/Uploading in PHP.pptx Appears to be successfully uploaded

Uploading a file <?php // Code adapted from textbook, page 239 $Dir = "."; // Looking in our own directory $DirOpen = opendir($Dir); while ($CurFile = readdir($DirOpen)) { echo $CurFile. " \n"; } closedir($DirOpen); ?> <form method="POST" action= enctype="multipart/form-data"> Select file: <?php if (isset($_FILES["uplfile"])) { print " The file we are uploading is named:". $_FILES["uplfile"]["name"]. " "; print "Moving:". $_FILES["uplfile"]["tmp_name"]. " "; print "We will place it at:". "myfiles/". $_FILES["uplfile"]["name"]. " "; if(move_uploaded_file($_FILES["uplfile"]["tmp_name"], "myfiles/". $_FILES["uplfile"]["name"])) { print "Appears to be successfully uploaded"; } else { print "Could not upload for some reason"; } print " "; print_r($_FILES); print " "; } ?>

Defcon Levels How dangerous is this? Green – Informational site only Beware of non-visible files Beige – Use client input to structure queries Possible SQL injection Protect by limiting SQL view to “read only” mode Yellow – Use client input to accept data for database Possible SQL injection Protect by sanitizing SQL Red – File uploads Could upload executable files Protect by using separate directory Protect by moderating before posting Could fill up your hard drive

HW07 Protection Methods How do we make uploads safe? Your HW server site requires.htaccess authentication with a password for any access In a production system you might require a login for upload capability, otherwise someone could fill your disk Your program will only load files with extensions from a “whitelist” The list doesn’t include anything executable like.php Uploaded files must be approved before they are available from the “library.” In a production system this step would require an admin login of some sort

HW07 Development - 1 Set up uploads and library directories Pre-load some sample files using FileZilla Write the directory-display part Show files in both directories Set up.htaccess as indicated in the textbook print_r($_FILES) to observe the autoglobal array Add the file upload form Make sure you are getting the correct info in $_FILES Add code to delete files from the uploads directory

HW07 Development - 2 Add the “Approve” function code Copy the file to the library directory If it went OK, delete from the uploads directory Add code to make sure the file is of a permitted type Use pathinfo() to get the extension Add code to rename the file to the uploads directory Add code to move a file to the library Test all the functionality You’ll have to manually delete files from the library Comment-out your print_r sequences

Is This File OK to Upload? Read the filetypes file into a variable using file() This gives you an array Get the file name $guilty=true; Walk through the filetypes array with foreach() If you find a match, set $guilty=false If ($guilty==false) { Capture the file with the rename function

Denying directory access You don’t want people to be able to look at the uploads directory just by pointing a browser there. Two methods (either will work) 1.Use.htaccess. Just save a text file in the directory with this line: Options –Indexes 2.Create an index.html file that sends the visitor where you want, or just gives an error message This method requires specific configuration of the Web server! Obscures file names, but doesn’t prevent access