[naimish]

Hi, I have below code in my website where user will upload two files.

multiple_upload.php

Code:

 
<?php
//set where you want to store files
//in this example we keep file in folder upload 
//$HTTP_POST_FILES['ufile']['name']; = upload file name
//for example upload file name cartoon.gif . $path will be upload/cartoon.gif
$path1= "upload/".$HTTP_POST_FILES['ufile']['name'][0];
$path2= "upload/".$HTTP_POST_FILES['ufile']['name'][1];
//copy file to where you want to store file
copy($HTTP_POST_FILES['ufile']['tmp_name'][0], $path1);
copy($HTTP_POST_FILES['ufile']['tmp_name'][1], $path2);
//$HTTP_POST_FILES['ufile']['name'] = file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file
///////////////////////////////////////////////////////
$filesize1=$HTTP_POST_FILES['ufile']['size'][0];
$filesize2=$HTTP_POST_FILES['ufile']['size'][1];
if($filesize1 && $filesize2!= 0) 
{
echo "Thank you, The file(s) has been successfully uploaded.";
}
else {
echo "ERROR : ";
}
//////////////////////////////////////////////
// What files that have a problem? (if found)
if($filesize1==0) {
echo "There're something error in your first file";
echo "<BR />";
}
if($filesize2==0) {
echo "There're something error in your second file";
echo "<BR />";
}
?>

MyUpload.php

Code:

 
<html>
<title>Upload Two Files</title>
<table width="500" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="multiple_upload.php" method="post" enctype="multipart/form-data" name="form1" id="form1">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td><strong>Upload Resume :</strong> *.doc, *.rtf, *.pdf files only<br /></td>
</tr>
<tr>
<td>Select file 
<input name="ufile[]" type="file" id="ufile[]" size="50" /></td>
</tr>
<td><strong>Upload Other Information :</strong>*.doc, *.rtf, *.pdf files only</td>
<tr>
<td>Select file
<input name="ufile[]" type="file" id="ufile[]" size="50" /></td>
</tr>
<tr>
<td align="center"><input type="submit" name="Submit" value="Upload Data" /></td>
</tr><br />
</table>
</td>
</form>
</tr>
</table>
</html>

Currently, If user is uploading only 1 file, it will give an error there There're something error in your second file.

But what I want is, User will have to upload two files.

What Code changes should be made so that user will have to upload two files, and if user doesn't provide the path for another file, no file will be get upload.

[naimish]

Also If we can embeed the code to restrict user to only upload *.doc, *.rtf, *.pdf files only

[pradeep]

Check for upload errors http://www.php.net/manual/en/feature...oad.errors.php

[Hex00010]

This script is vulnerable it does not sanatize what file types can be upload all it says is text that states only so and so can be uploaded.


But in the php script it does not clarify it


If people use this script then 10/10 they will get hacked allowing hackers to upload shell botnet.txt files or whatever they so choose until the owner of this script or someone else fixes these errors i highly reccomend no one to use this script for the safty of your site

[shabbir]

Quote:

Originally Posted by Hex00010

This script is vulnerable it does not sanatize what file types can be upload all it says is text that states only so and so can be uploaded.


But in the php script it does not clarify it


If people use this script then 10/10 they will get hacked allowing hackers to upload shell botnet.txt files or whatever they so choose until the owner of this script or someone else fixes these errors i highly reccomend no one to use this script for the safty of your site

He is probably developing it and looking for some error correction.

[Hex00010]

heheehhe well there is your first error to block file type extensions

[naimish]

Quote:

Check for upload errors http://www.php.net/manual/en/feature...oad.errors.php

I am not facing anykind of errors, I just want an improvement.

Quote:

i highly reccomend no one to use this script for the safty of your site

I didn't post this code as an article, so that is obivous.

Quote:

He is probably developing it and looking for some error correction

I am learning PHP now a days, and implementing it on my demo website

Quote:

heheehhe well there is your first error to block file type extensions

And that's what I have requested to help

[Hex00010]

Well mate seeing your new to php i reccomend you to learn the vulnerability of what is inside of php

just a note to help you a long never use

Code:

include();

functions also be sure to study up on how c99shell are uploaded through php systems.

The most common is from file uploads. Also be sure to secure the script from sql injection a tes perhaps? when ur ready for a demo and if the url has a index.php?something=1 or something near it add a ' at the end of it if a mysql error pops up then it is vulnerable to sql injection also be sure to make it not vulneralbe to blind sql injection


Take a look at this script and implement it into yours

http://www.willmaster.com/blog/javas...extensions.php

[naimish]

The main thing is that I am not using my own domain, I am using free domains only

[Hex00010]

What does that have to do with anything? regarding this?