File upload for txt files only - Security and sanitization questions

peppy · December 5, 2012, 6:36am

Greetings,

I need some advice on safely allowing people to bulk upload products to our site using tab-delimited txt files only. My first concern is making sure the file that someone is uploading is actually a plain text file and not a hostile fake.

Here is the code I have so far for the basic errors and sanitization:


$allowedExts = array("txt");
$extension = end(explode(".", $_FILES["ufile"]["name"]));
if ($_FILES['ufile']['type'] != 'text/plain' || !in_array($extension, $allowedExts)) {
  echo "Error: This is not a 'txt' file.";
  exit();
}
if ($_FILES["ufile"]["error"] > 0)
{
  echo "Error: Something is wrong with this this file: ".$_FILES["ufile"]["error"];
  exit();
}

Let me know if this look good so far or if there needs to be anything else added here. I understand that mime_content_type is also depreciated and there is a better method out there?

Any advice would be greatly appreciated. I’ve never added a feature like this to my site, so this is very new to me.

Thanks

logic_earth · December 5, 2012, 3:24pm

Text files have no mime type, anything can be classified as such. Don’t bother checking the mime type or any of that. As long as you only access it as textural data it won’t cause harm. The next step of course will be to process the data. The moment the format is incorrect, dump it as an invalid file.

sand · December 21, 2012, 12:37pm


function control($val,$min,$max,$ctype,$check)
{
-----
}

function userdata() 
{ if(isset($_POST['btnSub2']))
{$resume_file_name = str_replace('_','',$_FILES['filename']['name']);
$file_error = $_FILES['filename']['error'];
if(!is_numeric($strno))
{
echo "Phone/Mobile Should be Numeric";
} 
else
{
$upload = false;
echo "4Phone/Mobile Should be Numeric";
$explode_file = explode('.',$filename);
$extension_supplied = $explode_file[count($explode_file) - 1];
$extension_allowed = array('.doc','.docx');
for($check=0; $check<count($extension_allowed); $check++)
{if($extension_supplied == $extension_allowed[$check])
{$upload = true;}
}
// current timestamp //
$timestamp = time();
// temporary file name //
$tmp_file_name = strtolower($firstname)."_".strtolower($lastname)."_".$timestamp."_".$filename;
// target directory //
$target = "abc/resume_coll/".$tmp_file_name;
echo ".$target ,.$temp_file_name ";
if($upload == true)
{// connecting to database server //
$sql=mysql_connect('db42.db.com','dbo4256938','abcd123');
if (!$sql) 
{die('Connection failed: ' . mysql_error());
}else
{ echo "Connection to MySQL server successful!";
} $sql = mysql_select_db($db4256938);
---------
-------
if(is_uploaded_file($_FILES['filename']['tmp_name']))
{
if(move_uploaded_file($_FILES['filename']['tmp_name'],$target))
{
$message ="
<table>-----<tr><td>Resume</td><td>/td><td><a href=http://abc.com/abc/resume_collect/$tmp_file_name>Download Now</a></td></tr>
----- </table>
$receiver = 'abc@xyz.com';
$subject = "Resume Uploaded by ".ucwords($firstname)." ".ucwords($lastname);
echo "in resume upload";
$headers = "From:".$email."\\r\
"."Reply-To:".$email."\\r\
";
$headers .= "Content-type: text/html\\r\
";
//$message = htmlentities($message);
$mail = mail($receiver,$subject,$message,$headers);
if($mail)
{
echo "You will receive a confirmation E-mail with User Name and Password information "; }
else
{
echo "Invalid File Extension (<b>$extension_supplied</b>) to Upload.";
}function execute_code()
{
return userdata();
}
echo execute_code();

hi, i am trying to upload the file in target path(folder) but m getting error as invalid File Extension to upload(). kindly help me