[PHP] Image Uploads beeing corupted
Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=File Name=ImageFile Input Type=Submit Name=Submit /FORM I've found that just doing this seems to do the same function UploadImage(){ global $ImageFile; copy ($ImageFile, ../images/$ImageFile_name); } Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Image Uploads beeing corupted
The problem is in that you do global only for $ImageFile, but not for $ImageFile_name. Big flaw is that if someone make a form FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=text Name=ImageFile__name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM may be can make a big shot. Depends on under which user Apache is running. The best technique is to use $HTTP_POST_FILES. Since PHP4.1.0 there will be new name for it = $_FILES .This array will be global, so there is no need to write global $_FILES . The same is done for $_GET, $_POST, $_COOKIE. $_REQUEST is merged array of $_GET,$_POST,$_COOKIE in the order of gpc(from php.ini). Regards, Andrey Hristov IcyGEN Corporation http://www.icygen.com BALANCED SOLUTIONS - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:12 AM Subject: [PHP] Image Uploads beeing corupted Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=File Name=ImageFile Input Type=Submit Name=Submit /FORM I've found that just doing this seems to do the same function UploadImage(){ global $ImageFile; copy ($ImageFile, ../images/$ImageFile_name); } Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Image Uploads beeing corupted
the funny thing is this the information is beeing inserted into the database... the file is beeing uploaded (as i can see it in the directory). I can get results from $ImageFile $ImageFile_name $ImageFile_size but i cant get a result for $ImageFile_type this comes up blank there is obviously some connection, but just not sure what. Ryan Andrey Hristov [EMAIL PROTECTED] wrote in message 0b0c01c177e5$f0e15580$0b01a8c0@ANDreY">news:0b0c01c177e5$f0e15580$0b01a8c0@ANDreY... The problem is in that you do global only for $ImageFile, but not for $ImageFile_name. Big flaw is that if someone make a form FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=text Name=ImageFile__name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM may be can make a big shot. Depends on under which user Apache is running. The best technique is to use $HTTP_POST_FILES. Since PHP4.1.0 there will be new name for it = $_FILES .This array will be global, so there is no need to write global $_FILES . The same is done for $_GET, $_POST, $_COOKIE. $_REQUEST is merged array of $_GET,$_POST,$_COOKIE in the order of gpc(from php.ini). Regards, Andrey Hristov IcyGEN Corporation http://www.icygen.com BALANCED SOLUTIONS - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:12 AM Subject: [PHP] Image Uploads beeing corupted Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=File Name=ImageFile Input Type=Submit Name=Submit /FORM I've found that just doing this seems to do the same function UploadImage(){ global $ImageFile; copy ($ImageFile, ../images/$ImageFile_name); } Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Image Uploads beeing corupted
If you have GD extension build in your PHP use it to find the type(if you are limited ot jpeg/gif/png files). I want to say again that the using of $ImageFile* is a possible security hole. Regards, Andrey Hristov - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:39 AM Subject: Re: [PHP] Image Uploads beeing corupted the funny thing is this the information is beeing inserted into the database... the file is beeing uploaded (as i can see it in the directory). I can get results from $ImageFile $ImageFile_name $ImageFile_size but i cant get a result for $ImageFile_type this comes up blank there is obviously some connection, but just not sure what. Ryan Andrey Hristov [EMAIL PROTECTED] wrote in message 0b0c01c177e5$f0e15580$0b01a8c0@ANDreY">news:0b0c01c177e5$f0e15580$0b01a8c0@ANDreY... The problem is in that you do global only for $ImageFile, but not for $ImageFile_name. Big flaw is that if someone make a form FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=text Name=ImageFile__name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM may be can make a big shot. Depends on under which user Apache is running. The best technique is to use $HTTP_POST_FILES. Since PHP4.1.0 there will be new name for it = $_FILES .This array will be global, so there is no need to write global $_FILES . The same is done for $_GET, $_POST, $_COOKIE. $_REQUEST is merged array of $_GET,$_POST,$_COOKIE in the order of gpc(from php.ini). Regards, Andrey Hristov IcyGEN Corporation http://www.icygen.com BALANCED SOLUTIONS - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:12 AM Subject: [PHP] Image Uploads beeing corupted Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=File Name=ImageFile Input Type=Submit Name=Submit /FORM I've found that just doing this seems to do the same function UploadImage(){ global $ImageFile; copy ($ImageFile, ../images/$ImageFile_name); } Thanks Ryan Stephens -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Image Uploads beeing corupted
As I showed by this : FORM ACTION=http://your.domain.com/your.script.php; Method=Post ENCTYPE=multipart/form-data Input Type=text Name=ImageFile_name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM I can write this in a simple html, press the submit button and instead of file you will receive $ImageFile_name as a text variable. I can write in it everything but you rely on that PHP made it. No PHP didn't. Also in such form $ImageFile_tmpname can be supplied and if someone does this : ?php echo (implode('',file($ImageFile_tmpname))); ? The /etc/passwd file can be shown easily. My suggestion : rely on $HTTP_POST_FILES . Yes it is long to type but it's secured. Also as I said. Since the new PHP 4.1.0 there will be $_FILES array, equivalent of $HTTP_POST_FILES(which will exists also). The GD extension is used for dynamic construction of jpg,png,gif(up to some 1.x version). The constructed image can be saved to file or sent to the browser. GetImageSize() is one of the many functions provided by GD. http://www.php.net/manual/en/ref.image.php Best regards, Andrey Hristov - Original Message - From: Ryan Stephens (Hotmail) [EMAIL PROTECTED] To: Andrey Hristov [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:51 AM Subject: Re: [PHP] Image Uploads beeing corupted this means nothing to me... sorry, i've only been working with PHP for a couple weeks. and a few month of web learning. the site im working on is hosted by some other guy, so i dont have access to it if i had to change anything there. Why is $ImageFile a possible security hole? What is GD extension? I dont need to find the type... i just used that as a test to see if that might have anything to do with my corrupted file problem. And i found that all the information beeing entered into the database re: its name and size is fine... but it wont return a type... Im thinking if it cant return a type (but still uploads the file) there must be a connection to it beeing corrupt. Ryan - Original Message - From: Andrey Hristov [EMAIL PROTECTED] To: Ryan Stephens [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 12:46 AM Subject: Re: [PHP] Image Uploads beeing corupted If you have GD extension build in your PHP use it to find the type(if you are limited ot jpeg/gif/png files). I want to say again that the using of $ImageFile* is a possible security hole. Regards, Andrey Hristov - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:39 AM Subject: Re: [PHP] Image Uploads beeing corupted the funny thing is this the information is beeing inserted into the database... the file is beeing uploaded (as i can see it in the directory). I can get results from $ImageFile $ImageFile_name $ImageFile_size but i cant get a result for $ImageFile_type this comes up blank there is obviously some connection, but just not sure what. Ryan Andrey Hristov [EMAIL PROTECTED] wrote in message 0b0c01c177e5$f0e15580$0b01a8c0@ANDreY">news:0b0c01c177e5$f0e15580$0b01a8c0@ANDreY... The problem is in that you do global only for $ImageFile, but not for $ImageFile_name. Big flaw is that if someone make a form FORM ACTION=?php $SCRIPT_NAME ? Method=Post ENCTYPE=multipart/form-data INPUT TYPE=hidden name=MAX_FILE_SIZE value=100 Input Type=text Name=ImageFile__name value=../../../../etc/passwd Input Type=Submit Name=Submit /FORM may be can make a big shot. Depends on under which user Apache is running. The best technique is to use $HTTP_POST_FILES. Since PHP4.1.0 there will be new name for it = $_FILES .This array will be global, so there is no need to write global $_FILES . The same is done for $_GET, $_POST, $_COOKIE. $_REQUEST is merged array of $_GET,$_POST,$_COOKIE in the order of gpc(from php.ini). Regards, Andrey Hristov IcyGEN Corporation http://www.icygen.com BALANCED SOLUTIONS - Original Message - From: Ryan Stephens [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 28, 2001 10:12 AM Subject: [PHP] Image Uploads beeing corupted Hey guys, I got my uploads to work thanks to some peoples help here in this newsgroup but now im having a problem with the files beeing corrupted upon upload. not sure why any help would be greatly apreciated. I have included my code again if it helps any. function UploadImage(){ global $HTTP_POST_FILES; global $ImageFile; reset($HTTP_POST_FILES); $pic_file = $HTTP_POST_FILES['ImageFile']; copy ($pic_file['tmp_name'], ../images/$ImageFile_name); } FORM ACT