Wednesday, April 16, 2008

Secure file upload 


function process_upload(){
 global $_FILES;
 $retVal = false;
 $disallowed_ext = array('.php', '.php3', '.php4', '.shtml', '.pl', '.jsp', '.cgi','.exe');
 $file_field = $_FILES['file'];

 //detect if there are any uploaded files in $_FILES; return false if not
 if($file_field['size'] != 0){
  $path_parts = pathinfo($file_field['name']);
  $ext = '.' . strtolower($path_parts["extension"]);
  if(in_array($ext, $disallowed_ext)){
   die("Wrong file type ($ext). Please upload other file types than : " . implode(' ',$disallowed_ext) );
  }

  $new_name = $file_field['name'];
  if(move_uploaded_file($file_field['tmp_name'], "$this->working_dir/$new_name")){
   chmod("$this->working_dir/$new_name", 0644);
   $retVal[] = $new_name;
  }

 }
 return $retVal;
}
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)