"Gennaro losappio" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Dear All.
Hi.
>
> I ma trying to write a script that let the user choose
> how many languages to upload. Therefore the first
> script checks weather the user has choosed to add
> images, if not, he'll get a preview of the web site;
> otherwise array_padd will increment the array for the
> number of images the user has choosen:
> <?php
> if(($add == "") or ($add == "0")){
You can use empty() here:
if (empty($add)) {
>
> $description= wordwrap($description,50,"<br>");
> echo "<table frame=\"border\">
> <tr><th>$font1 PREVIEW DEL SITO</font></th></tr>
> <tr><td colspan=\"2\" align=\"left\"><img
> src=\"../ecom/$u/$logo_name\"></td></tr>
> <tr><td>$description</td><td><img
> src=\"../ecom/$u/$img_az_name\"></td></tr>
> </table>";
>
> }else{
> $img = array('img','desc');
>
> $img = array_pad($img, $add, '');
> echo "<table> <tr><th colspan=\"6\">$font1 GESTIONE
> SITO - Add images</font></th>
> <form action=\"./panel.php\" method=\"post\"
> enctype=\"multipart/form-data\">
> <input type=\"hidden\" name=\"servizio\" value=\"4\">
> <input type=\"hidden\" name=\"visione\"
> value=\"imdone\">";
> foreach($img as $k => $img){
> $k++;
> echo "<tr><td>$font1 Image $k: </font></td>
> <td><input type=\"file\" name=\"img[$k]\"></td>
> <td>$font1 Title: </font></td>
> <td><input type=\"text\" name=\"title[$k]\"
> maxlength=\"50\"></td>
> <td>$font1 Description: </font></td>
> <td><textarea name=\"desc[$k]\"></textarea></td>
> </tr>";
> }
> ?>
>
> The second script would be:
> <?php
> $uploaddir =
> "/web/htdocs/www.example.it/home/ecom/$u/";
> $uploadfile = $uploaddir.$_FILES['img']['name'];
Where is $u being set? It's better to use a constant for path information:
define('UPLOAD_PATH',
'/web/htdocs/www.example.it/home/ecom/whateverumightbe');
Otherwise someone could call the file with:
page.php?u=../../ or whatever
You should NOT rely on register_globals. You can turn it off in run time by
putting this line at the top of all scripts:
ini_set('register_globals', 0);
Then access all variables with $_GET['var1'], $_POST['var1'],
$_FILES['file'] etc.
You should also check the file's mime type ($_FILES['file']['type']) and
only allow specific file types (GIF, JPEG).
>
>
> print "<pre>";
> if
> (move_uploaded_file($HTTP_POST_FILES['img']['tmp_name'],
> $uploadfile)) {
>
> print "File is valid, and was successfully
> uploaded. ";
> print "Here's some more debugging info:\n";
> print_r($HTTP_POST_FILES);
> } else {
> print "Possible file upload attack! Here's some
> debugging info:\n";
> print_r($HTTP_POST_FILES);
> }
> print "</pre>";
> ?>
>
> I keep on getting a possible upload file attack. The
> debugging info says there are no errors. I have tried
> using $_FILES instead of $HTTP_POST_FILES. My ISP has
> Gobals turned on and max file size is 8 MB, in this
> example I have been using 2 files of 246K each.
>
> Where do you think the problem might lay?
>
> Thank you,
> Gennaro Losappio
How do you know you are getting upload attacks? Any symptoms?
Regards, Torsten Roehr
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
