Page 362 - Open Soource Technologies 304.indd
P. 362

Web Technologies-I



                   Notes         When  allowing  users  to  upload  files  from  their  local  machine  to  your  server,  there  are  two
                                 things that you need to check. The first is the mimetype of the uploaded file; if your script is
                                 uploading images, for example, you will want to just accept image/png, image/jpeg, image/
                                 gif, image/x-png and image/p-jpeg. You can do so as follows:
                                 $validMimes = array(

                                   ‘image/png’,
                                   ‘image/x-png’,
                                   ‘image/gif’,
                                   ‘image/jpeg’,

                                   ‘image/pjpeg’
                                 );
                                 $image = $_FILES[‘image’];
                                 if(!in_array($image[‘type’], $validMimes)) {
                                   die(‘Sorry, but the file type you tried to upload is invalid; only images are allowed.’);
                                 }

                                 // Do something with the uploaded file.
                                 File  uploads  combine  the  two  dangers  we  have    seen  so  far:  user-modifiable  data  and  the
                                 filesystem.  While  PHP  4  itself  is  secure  in  how  it  handles  uploaded  files,  there  are  several
                                 potential traps for unwary programmers.
                                 14.3.1 Beware of Filling Your Filesystem
                                 Another trap is the size of uploaded files. Although you can tell the browser the maximum size
                                 of file to upload, this is only a recommendation and it cannot ensure that your script would
                                 not be handed a file of a larger size. The danger is that an attacker will try a denial of service
                                 attack by sending you several large files in one request and filling up the filesystem in which
                                 PHP stores the decoded files.

                                 Set the post_max_size configuration option in php.ini to the maximum size (in bytes)  that
                                 you want:
                                 post_max_size = 1024768 ; one megabyte
                                 The default 10 MB is probably larger than most sites require.

                                 14.3.2 Surviving register_globals

                                 The default variables_order processes GET and POST parameters before cookies. This makes
                                 it possible for the user to send a cookie that overwrites the global variable you think contains
                                 information on your uploaded file. To avoid being tricked like this, check the given file was
                                 actually an uploaded file using the is_uploaded_file( ) function.
                                 In this example, the name of the file input element is “uploaded”:




                                 if (is_uploaded_file($_FILES[‘uploaded_file’][‘tmp_name’]))
                                 {
                                 if ($fp = fopen($_FILES[‘uploaded_file’][‘tmp_name’], ‘r’))

                                 {



        356                               LOVELY PROFESSIONAL UNIVERSITY
   357   358   359   360   361   362   363   364   365   366   367