[wplug] Clean up a PHP script

Matthew White mgw854 at msn.com
Fri Feb 1 08:11:28 EST 2008 

There are PHP functions to clean input- the manual has some good 
information:
http://us.php.net/manual/en/ref.filter.php

or maybe use file_get_contents() to make the file a string and search for 
"bad" input.

Hope this helps
Matt

--------------------------------------------------
From: "Zach" <netrek at gmail.com>
Sent: Thursday, January 31, 2008 9:45 PM
To: "General user list" <wplug at wplug.org>
Subject: Re: [wplug] Clean up a PHP script

> I don't know if you can do something like exec() in PHP but maybe run
> it through a program like /usr/bin/file to make sure it really is a
> text file. They could name anything .txt that doesn't mean it is.
>
> Zach
>
> On Jan 31, 2008 8:46 PM, Kevin Squire <gentgeen at wikiak.org> wrote:
>> I have created a web form with PHP.  The webform is in online application
>> form, that then emails our HR department.  They want me to include an 
>> option
>> on the form to upload a resume.  I would like to stem off some trouble by
>> making sure that the file they upload is one of our "acceptable" formats.
>> (Arguments about acceptable can be tabled -- I had to fight them to 
>> accept
>> .txt file formats)
>>
>> I have my check working, but I have two questions about it:
>>
>> 1) It seems to be a bit of a clug - can I clean it up some?
>> 2) What false-positives could occur?
>>
>> Here is a snip:
>>
>>       error_reporting(0);
>>        // initialize a array to hold any errors we encounter
>>       $errors = array();
>>       // check to see if a first name was entered
>>       if (!$_POST['fName'])
>>          $errors[] = "First Name is required";
>>        // check to see if a last name was entered
>>       if (!$_POST['lName'])
>>          $errors[] = "Last Name is required";
>>
>> CUT SOME STUFF OUT HERE......
>>
>>         // check file types against known extensions
>>        $whitelist = array(".rtf", ".doc", ".txt", ".pdf");
>>       // initialize the extension errors counter
>>       $ext_err = 0;
>>       // check the file extension
>>       foreach ($whitelist as $item) {
>>          if (!preg_match("/$item\$/i", $_FILES['userfile']['name']))
>>            $ext_err = $ext_err + 1 ;
>>       }
>>       if ($ext_err == 4)
>>              $errors[] = "We only allow certain file formats " .$ext_err;
>>
>> From the "foreeach" loop down is that part that I would think I could 
>> clean
>> up some.. but I just can't seem to figure it out myself.
>>
>> Thanks,
>> Kevin
>>
>> _______________________________________________
>> wplug mailing list
>> wplug at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug
>>
>>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>

More information about the wplug mailing list