May 28, 2010

Server Side PHP for Image Upload Feature

Posted in iPhone development, PHP, Uncategorized tagged , , , , , , , , , , at 5:58 am by tetontech

I have received a request for sample PHP source code that could receive and save the uploaded file.  You MUST understand that this is NOT code I would put into production.  I always use QuickConnectPHP on the server side since it allows me to apply Validation Control Functions, Business Control Functions, View Control Functions, and Error Control Functions in PHP.  This dramatically increases the security of my applications.

This being understood, the code you see below should be viewed as an example of how to get the POST key/value pairs associated with an upload of an image from the QCiPhone implementation.  Additionally it shows you how to store the uploaded image file in a directory on the PHP server machine called upload.

The file name length check is one security feature.  Some machines are unable to handle file names longer than 254 characters.  If a hacker sent you a file name that was longer than that it can cause you not to be able to delete the file.  If the file they uploaded had PHP in it they could call it and execute it.  You would not be able to delete the file because of the overly long file name.

Another security issue is that you should store the files in a directory located such that the PHP engine can not interpret any file uploaded as PHP.  This example does NOT follow this advice since there is no way for me to know the structure of your PHP server.

<?php

//echo ‘post values’;

if($_POST[“uname”] != “someUser” || $_POST[“pword”] != “somePass”){

echo “invalid user name or password”;

}

else if (($_FILES[“fileContents”][“type”] == “image/png”)

|| ($_FILES[“fileContents”][“type”] == “video/mp4”)){

if ($_FILES[“fileContents”][“error”] > 0)

{

echo “Return Code: “ . $_FILES[“fileContents”][“error”] . “<br />”;

}

else

{

if (file_exists(“upload/” . $_FILES[“fileContents”][“name”])){

echo $_FILES[“fileContents”][“name”] . ” already exists. “;

}

else if(strlen($_FILES[“fileContents”][“name”]) >= 255){

echo “The file name you have chosen is too long.”;

}

else{

move_uploaded_file($_FILES[“fileContents”][“tmp_name”],

“upload/” . $_FILES[“fileContents”][“name”]);

echo “File stored in: “ . “upload/” . $_FILES[“fileContents”][“name”];

}

}

}

else{

echo “Invalid file<br/>”;

}

?>

Advertisements

1 Comment »

  1. Theresa said,

    Thanks @tetontech – sharing this codes.i just confuse about this security service . But after immplementing i will let u know. 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: