PHP image upload issues

Question

<td valign="top">
<input type="hidden" name="MAX_FILE_SIZE" value="12485760" />
Image?</td>
<td><input type="file" name="image">

$path = "uploads/";
$path .= basename($_FILES['image']['name']);

$path = addslashes($path);
$name = $_FILES['image']['name'];

echo $path;

move_uploaded_file($_FILES['image']['tmp_name'], $path);

The above code should work as i have a very similar one working neatly. However, it does not seem to pick anything up from the form (the very top code). If anyone could point out how i'm being a fool and breaking this, i would be much appreciative.

Answer 1

You do know this is completely insecure, right? You might be able to get away with it on an intranet with only trusted users, but otherwise this code is guaranteed trouble.

file['name'] can't be relied upon to contain anything usable as a filename, and an attacker could easily set it to something including a '..' path part to overwrite files outside the uploads folder. And by uploading a file with a .php extension, they can most likely execute arbitrary code on your server.

If you use file['name'] at all it must be strongly sanitised (eg. remove all non-alphanumeric characters and add an appropriate file extension yourself) and you'll have to deal with the possibility of not getting a filename at all (in which case you'll have to make one up from eg. random numbers).

The 'echo $path' also gives you HTML injection leading to cross-site-scripting attacks.

addslashes() does not protect you from directory traversal or HTML injection. It also fails to escape SQL strings correctly, which was its supposed original purpose. A good rule of thumb is that any application using addslashes() (explicitly, or implicitly through magic_quotes) is Doing It Wrong.

Answer 2

Make sure you have the attribute enctype="multipart/form-data" on your <form> tag.