Tips for uploading php files

I coded the code for another weekend. this time I am doing something about file upload. (PHPUPLOAD) a small harvest project is a BT seed list. users have the permission to upload their seed, then cooperate with B

I coded the code for another weekend. this time I am doing something about file UPLOAD. (PHP UPLOAD) a small harvest project is a BT seed list. users have the permission to UPLOAD their seed, then, use the bt track server to write the seed information.

At first, I thought it was very simple and the results were terrible. I used the CodeIgniter Upload class to upload files. at the beginning, the process was quite smooth, but I found that when I uploaded the file type, I added it. the torrent type is an upload type, and the result cannot be uploaded no matter how it is uploaded. it also prompts that the type of the uploaded file is incorrect. this is a genuine seed file. does CI only recognize seeds from island countries?

Open the ci upload class to view the code. The original ci upload is implemented by identifying the file. it is no wonder that the MIME type of the seed returns binary data in a general browser. it seems that you have to modify it yourself.

To complete the project as soon as possible, I directly write code from the Controller. use $ _ FILE ['file'] ['name'] to obtain the file name to be uploaded, use the explode function to obtain the extension name, and call the UPLOAD of CI to UPLOAD the FILE.

The PHP instance code is as follows:

1. $ Config ['upload _ path'] = './uploads /';
2. $ Config ['allowed _ types'] = '*';
3. $ Config ['max _ size'] = '000000 ';
4. $ This-> load-> library ('upload', $ config );
5. $ This-> load-> helper ('security ');
6. $ This-> load-> helper ('date ');
7. $ This-> load-> helper ('URL ');
8. $ This-> load-> model ('BT _ model', '', TRUE );
9. $ Data ['Source _ url'] = base_url (). 'source ';
10. $ Data ['base _ url'] = base_url ();
11. $ File = $ _ FILES ['upload _ file'] ['name'];
12. $ File_1 = explode ('.', $ file );
13. $ File_2 = $ file_1 [count ($ file_1)-1];
14. If ($ file_2 <> 'torrent '){
15. Echo 'script "alert (" Only torrent-type seed files can be uploaded "); script ';
16. Echo 'script window. location. href = "'. $ data ['base _ url']. 'index. php/index/post"; script';
17. Return;
18. }
19. $ Data ['type'] = xss_clean ($ this-> input-> post ('type '));
20. $ Data ['name'] = xss_clean ($ this-> input-> post ('name '));
21. $ Data ['space'] = xss_clean ($ this-> input-> post ('space '));
22. $ Data ['username'] = xss_clean ($ this-> input-> post ('Username '));
23. $ Data ['Time'] = mdate ('% Y-% m-% d % G: % I', gmt_to_local (time (), 'up8 '));
24. If ($ data ['type'] = ''| $ data ['name'] ='' | $ data ['space'] = ''| | $ data ['username'] = '') {
25. Echo 'script alert ("The information is incomplete, please enter it again"); script ';
26. Echo 'script window. location. href = "'. $ data ['base _ url']. 'index. php/index/post"; script';
27. Return;
28. }
29. $ This-> upload-> do_upload ('upload _ file ');
30. Echo $ this-> upload-> display_errors ();
31. $ File = $ this-> upload-> data ();
32. $ Data ['URL'] = $ data ['base _ url']. 'uploads'/'. $ file ['File _ name'];
33. $ This-> bt_model-> insert ($ data );
34. Echo 'script "alert (" uploaded successfully "); script ';
35. Echo 'script window. location. href = "'. $ data ['base _ url'].'"; script ';

The principle is roughly as follows: get the name of the file to be uploaded, split the file name through the explode () function to get the suffix, compare it with the allowed Upload type, and finally upload.

When it comes to upload, I think of the popular MIME Upload vulnerability. the upload vulnerability occurs when the website only determines the MIME type when determining the file type to be uploaded. the MIME type obtained by the server during the upload is sent from the client. that is to say, the MIME type value can be controlled by users. attackers can construct fake MIME types to upload webshells.

Therefore, when determining the file type, check the file suffix. it is better to only give the upload directory a readable permission and disable the execution permission, which is more reliable.