Re: what is a good way to get started in php?
@9
Here I will answer Ethin and all those who consider PHP to be a good programming language.
It will be rude. For this reason, if you don't want, don't read this.
PHP teaches simple things to do through the ass, for example, to work with the RFC 6455 protocol with several lines of code is not enough. The language is old, it was created haphazardly, randomly, by specialists from different languages, very few people write in the language itself, everyone uses frameworks. Often bikes are written in this language, which are already built into the language itself. PHP crap in one word, old. At one time, he fired only due to a simpler syntax than in ASP 1.0 supplied with IIS 3.0. The language itself began with the implementation of a simple counter of visits, the purpose of the language was not to create something big that couldn't affect the implementation of the language itself. Imagine that you need to swim across the river in the wilderness, but you have nothing with yourself except nails and teeth, you will make yourself a boat of twigs and leaves, the creators of PHP did about the same. What do you think this language will teach you?
Besides. In post 2, cartertemm wrote that he liked the tutorial / reference from w3schools.
Here, not only PHP will teach you bad things. W3schools will teach you bad things.
First thing’s first. I’m really glad they put this at the top, but they are still teaching you the wrong way even though they said this themselves. So they aren’t even listening to their own words.
However, with ease comes danger, so always be careful when allowing file uploads!
Ok, let’s take a look at their final code because that’s what we’re going to go after and I’m going to grill it for teaching bad things aka bad coding habits.
1<?php
2$target_dir = "uploads/";
3$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
4$uploadOk = 1;
5$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
6// Check if image file is a actual image or fake image
7if(isset($_POST["submit"])) {
8 $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
9 if($check !== false) {
10 echo "File is an image - " . $check["mime"] . ".";
11 $uploadOk = 1;
12 } else {
13 echo "File is not an image.";
14 $uploadOk = 0;
15 }
16}
17// Check if file already exists
18if (file_exists($target_file)) {
19 echo "Sorry, file already exists.";
20 $uploadOk = 0;
21}
22 // Check file size
23if ($_FILES["fileToUpload"]["size"] > 500000) {
24 echo "Sorry, your file is too large.";
25 $uploadOk = 0;
26 }
27// Allow certain file formats
28if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
29&& $imageFileType != "gif" ) {
30 echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
31 $uploadOk = 0;
32}
33// Check if $uploadOk is set to 0 by an error
34if ($uploadOk == 0) {
35 echo "Sorry, your file was not uploaded.";
36// if everything is ok, try to upload file
37} else {
38 if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
39 echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
40 } else {
41 echo "Sorry, there was an error uploading your file.";
42 }
43}
44?>
Ok so the first few lines of code already teaches you the wrong way of doing it.
1basename($_FILES["fileToUpload"]["name"])
That’s how NOT to do it.
What does this line do? Well, it pretty much takes the original name and then you can append it to a variable which you can then reference. The intent of doing so is just to be able to upload the file and give the file its original name. This is actually incredibly bad. Not just bad practice, but security wise as well.
Here’s a scenario to demonstrate why that’s bad. So say Person A uploads a file from their phone called IMG_001.JPG. It successfully goes through and they can view that image. Looks pretty cool on the web. Now, let’s say Person B comes along and uploads a file from their phone called IMG_001.JPG. Whoops, now Person B just replaced and overwrote Person A’s image because you have that line to give the uploaded file its original name.
You think that’s appropriate to do if you want people to upload hundreds of images? Not really.
This is also a security concern because in a poorly implemented upload system, someone can actually overwrite your uploading file whether it’s named upload.php or index.php, they can pretty much overwrite and replace that uploader.
Now, let’s take a look at this line.
1$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
This line pretty much is for the intent of checking to make sure the image is an actual image. However, this is not the way you should be doing it. The PHP documentations and the official language does not say for you to do this. This is what “w3schools” is telling you to do. “w3schools” is not affiliated nor are they connected or have any relevance to the official PHP site, documentations, nor the official PHP team. “w3schools” is a fan made website.
Now, let’s dig in deeper what that line is actually doing. pathinfo() actually can take in 2 parameters. The first parameter is the file path and the 2nd parameter which is an optional parameter allows you to pass in a constant of either PATHINFO_DIRNAME, PATHINFO_BASENAME, PATHINFO_EXTENSION, PATHINFO_FILENAME, or a mixed combination of all of those.
The second function (strtolower()) that’s wrapped around pathinfo() just pretty much converts the entire string to all lower case.
Now, here’s the problem. Since this sole intent is to check whether the image is really an image, this is actually poorly written. Say I create an image in NotePad and name it malicious_file.txt, then write some malicious code into that file. I then rename malicious_file.txt to malicious_file.jpg and upload it to that poorly implemented uploading system. Would you look at that, it goes through simply because the file extension is .jpg. The returned extension name from pathinfo($target_file,PATHINFO_EXTENSION) is actually jpg.
So regardless if the file is malicious or not, it will still be uploaded. That’s a security problem.
This line of code wasn’t written by the PHP documentation nor the PHP team. They have no intent of allowing this to happen. But the source (w3schools) is the one writing this incredibly horrible code. Again, the PHP language, the PHP documentations, and the official PHP team does not teach you this. They only supply you with what the code does. Whatever people have concocted/ combined/ mixed is all on the person who wrote that code which would be w3schools.
The funny part is that they use getimagesize() which actually verifies if the uploaded file is an actual image since the returned data is an array that gives out the width, height, and multiple information. I have no idea why they were attempting to write in their own “image checker” when they could of just used getimagesize() to check if the uploaded file was an actual image. Again, the people who wrote this bad code isn’t the PHP language, the PHP documentations, nor the official PHP team. It’s the source (w3schools) who wrote this horrible code. Once again, w3schools have no affiliation, connection, nor anything to do with the PHP language, the PHP documentations, nor the official PHP team.
I don’t want to go any further because well, I’ve written a very lengthy post already and I haven’t even gotten to the end of the code yet.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
