Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
venaf342282020-04-19 12:37:36
PHP
venaf34228, 2020-04-19 12:37:36

Is this method of downloading files safe enough?

Good afternoon!
Is this method secure enough to upload images to the server?
upload.php

<?php
$AllowFileExtension = array(
    'jpg',
    'png',
    'jpeg'
);
$FileExtension      = pathinfo(strtolower($_FILES['file']['name'][0]), PATHINFO_EXTENSION);
if (!in_array($FileExtension, $AllowFileExtension)) {
    die('Разрешенные форматы файла: jpg, jpeg, png.');
}
$TempName = $_FILES['file']['tmp_name'][0];
if (filesize($TempName) > 10485760) {
    die('Размер изображения не должен превышать 10МБ.');
}
$imageinfo = getimagesize($TempName);
if ($imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/png') {
    die('Разрешенные форматы файла: jpg, jpeg, png.');
}
$NewFileName  = (md5(uniqid() . strtolower($_FILES['file']['name'][0]))) . '.' . $FileExtension;
$UploadDir    = "/img/";
$NewFilePatch = $UploadDir . $NewFileName;
if (!is_writable($UploadDir)) {
    die('Каталог недоступен для записи.');
}
$CopyFile = copy($TempName, $NewFilePatch);
if (!$CopyFile) {
    die('Неудалось сохранить файл.');
}
?>

The img folder contains .htaccess with the following content
<FilesMatch "\.(php|cgi|pl|php3|php4|php5|php6|phps|phtml|shtml|py)$">
Order allow,deny
Deny from all
</FilesMatch>

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
R
Roman Sarvarov, 2020-04-19
@megakor

You need to check the file extension by its MIME type. Through pathinfo, the check can be removed - it is superfluous.
You need to move a file from tmp through move_uploaded_file(), not through copy().
Bonuses:
1. Use camelCase - don't capitalize your variables (it doesn't look good).
2. Check isset($_FILES['file']['name'][0]) first, otherwise if no file has been loaded, it will return an error (because you refer to an array element that may not exist) .

Report
X
xmoonlight, 2020-04-19
@xmoonlight

If you are expecting a picture - check the properties of the file of the required format. For example, the image resolution before being moved from upload.
Filter (any) - not "banning what I remember", but "allowing what I'm waiting for".

Similar questions
A
Andrei1penguin12021-04-01 00:37:45
Why don't losses decrease? 3Reply
A
Aibot922021-04-09 16:05:43
How to stop "listening" to bot.*_handler? 2Reply
D
Dagtor2015-05-15 14:02:52
What book, website or video course can you offer a beginner to learn SQL? 11Reply
A
Alex2019-10-09 12:42:39
How to create qr code in js? 1Reply
P
Pashchuk Ilya2017-05-09 21:42:00
How to resize a block when dragging in css3 and html5? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question