Remote Control - PHP

Given all that information, let's take a look at "upload.php4"

<?
// get some information
echo "Filename: $upfile_name<br>";
echo "Temporary filename: $upfile<br>";
echo "File size: $upfile_size bytes<br>";
echo "File type: $upfile_type<br>";
// if upload successful
if ($upfile)
{
echo "Upload successful!<br>";
// copy file to new location
if (copy($upfile, "/tmp/uploads/" . $upfile_name))
{
echo "File copy successful!<br>";
}
}
// else display error
else
{
echo "Upload unsuccessful!<br>";
}
?>

Be warned: you should enforce strict rules about what can and can't be uploaded when using such a system in a production environment. Failure to do this would open up a security hole which would allow users to upload Perl scripts, C binaries and PHP documents to the server, and perhaps even execute them remotely.

A good way to avoid this is to use the $upfile_type variable to decide which files get uploaded, and which get rejected. For example,

<?
if ($upfile_type == "text/plain" || $upfile_type == "text/html" ||
$upfile_type == "image/gif" || $upfile_type == "image/jpeg")
{
// file upload code
}
else
{
echo "Permission denied!";
}
?>

Similarly, you can use the $upfile_size variable to reject files which are too large for comfort.

This article copyright Melonfire 2000. All rights reserved.

>>> More PHP Articles          >>> More By Vikram Vaswani, (c) Melonfire

blog comments powered by Disqus