php help uploading

[jameshumphries47]

okay so i posted earlier about making my site run off a CMS but because of hosting incompatibilities that will become a problem. now i have decided that i am going to create a "Hidden" page on the site where the admin when logged on will be able to edit the text from the site, im not worried i can do this using PHP and MYSQL. now the problem i am trying to overcome is that, there is a page with lots of photos kind of like on an amazon search query. but there is no other pages, now i need the admin to be able to upload a file through the site, and it will then display the code. I am really stuck here, so any help is more than welcome! 

Thanks

~James

[Mr_KoKa]

I don't fully understand but here you have guide how to handle file uploads, http://www.w3schools.com/php/php_file_upload.asp if you want upload just images, make sure you use your name to save file on serwer side, it is especially important when it comes to extension, if you let a file to be named as user wants to name it, you may end up with php file uploaded to your server. If you wan't be able to upload any files, then I would probably recommend you to save those out of web serwer directory scope, so it wont be able to executed, and then you would need to use XSendFile extension or send headers and file contents by php.

 

I didn't get that part where you saying that code should be displayed after upload, do you mean you want to upload html files and then edit them? I think it can be done just by javascript filereader without file upload, and then just regular form posted to a php script that will save text to mysql.

[jameshumphries47]

I don't fully understand but here you have guide how to handle file uploads, http://www.w3schools.com/php/php_file_upload.asp if you want upload just images, make sure you use your name to save file on serwer side, it is especially important when it comes to extension, if you let a file to be named as user wants to name it, you may end up with php file uploaded to your server. If you wan't be able to upload any files, then I would probably recommend you to save those out of web serwer directory scope, so it wont be able to executed, and then you would need to use XSendFile extension or send headers and file contents by php.

 

I didn't get that part where you saying that code should be displayed after upload, do you mean you want to upload html files and then edit them? I think it can be done just by javascript filereader without file upload, and then just regular form posted to a php script that will save text to mysql.

i want the photo that was uploaded to be displayed in a list with previous photos which have been uploaded

[Mr_KoKa]

ok, so you want to list directory and generate html that will display those photos, that's easy, use http://php.net/manual/pl/function.opendir.php there is whole example how to list directory. You can parse file name by http://php.net/manual/en/function.pathinfo.php and compare extension with your set of extensions that mean images that can be displayed.

 

When you handling your upload, you can use http://php.net/manual/en/function.getimagesize.php on temporary image to check if it is really an image. You doing that by reading mime type, then you can set image name by hashing it, and extension based on mime type. Especially do not use name provided by user.

 

Ale those security checks are more appropriate when handling user upload, not an admin area, but anyway it won't hurt to have it.

 

The best you can do is to upload and save files to directori that is outside of your website fodler, so it can't be accessed by user directly, and use XSendFile to provide files as files (plaintext or images by appropriate header), so even if you woudln't protect your upload script from uploading php scripts, they wouldn't be executed this way.But this involve configuration of webserver, You can try the first thing and then think about use this one if you want/need.

[jameshumphries47]

ok, so you want to list directory and generate html that will display those photos, that's easy, use http://php.net/manual/pl/function.opendir.php there is whole example how to list directory. You can parse file name by http://php.net/manual/en/function.pathinfo.php and compare extension with your set of extensions that mean images that can be displayed.

 

When you handling your upload, you can use http://php.net/manual/en/function.getimagesize.php on temporary image to check if it is really an image. You doing that by reading mime type, then you can set image name by hashing it, and extension based on mime type. Especially do not use name provided by user.

 

Ale those security checks are more appropriate when handling user upload, not an admin area, but anyway it won't hurt to have it.

 

The best you can do is to upload and save files to directori that is outside of your website fodler, so it can't be accessed by user directly, and use XSendFile to provide files as files (plaintext or images by appropriate header), so even if you woudln't protect your upload script from uploading php scripts, they wouldn't be executed this way.But this involve configuration of webserver, You can try the first thing and then think about use this one if you want/need.

thanks alot, safety wise i should be fine, im only doning a few small sites, with about 3-15 views a day. but may as well implement it 

[prolemur]

I'm going to be doing this as well for a web store I'm making from scratch.

 

I plan on having an admin login where they can fill out a form with all the needed attributes of a product such as name and image, description. Then they post this form which makes a mysql query to the database and creates the products.

 

The product will show up in the proper categories since i have that setup and on the homepage where it shows all products at the bottom.

 

I don't quite understand your issue with this process, maybe what i explained above will help? let me know and good luck with the project

 

edit* I'd not worry about safety since everything should be behind the admin portal

[N0ps32]

edit* I'd not worry about safety since everything should be behind the admin portal

 

That is a terrible idea.

If somebody gains access to the admin panel you still want the amount of damage an intruder can do to be as small as possible.

For example just because you have gained access to the admin panel doesn't mean you should be able to dump the whole DB with customer data in it.

Or even worse somehow give the attacker the ability to execute arbitrary code and potentially compromise even more than just the website (e.g. users computers by inserting an exploit kit, ...).

 

An admin panel should be just as secure as the rest of your web application.

[prolemur]

That is a terrible idea.

If somebody gains access to the admin panel you still want the amount of damage an intruder can do to be as small as possible.

For example just because you have gained access to the admin panel doesn't mean you should be able to dump the whole DB with customer data in it.

Or even worse somehow give the attacker the ability to execute arbitrary code and potentially compromise even more than just the website (e.g. users computers by inserting an exploit kit, ...).

 

An admin panel should be just as secure as the rest of your web application.

I agree it should be secure just saying I wouldn't put it as high on the to do list, first make things are functioning then add security.

[Brenz]

I agree it should be secure just saying I wouldn't put it as high on the to do list, first make things are functioning then add security.

 

Security beats Functionality ALWAYS.

 

Never ever put functionality above security no matter how long it takes to implement a solution to a problem in the correct way.

[prolemur]

Security beats Functionality ALWAYS.

 

Never ever put functionality above security no matter how long it takes to implement a solution to a problem in the correct way.

Rock beats Scissors ALWAYS