-1

I wrote this piece of PHP to enable simple PHP File-Uploading with base64-strings.

Back then, it was just supposed to work (and it does). But now I want to beef it up to make this actually secure against malicious intents.

I use this script for an app of mine (file uploads):

if(isset($_GET["upload"]))
{
    $contents = $_POST["contents"];

    $file = fopen("filename.wav", "w");
    $input = base64_decode($contents);
    fwrite($file, $input);
    fclose($file);
}
Saphire
  • 1,812
  • 1
  • 18
  • 34
  • 1
    What's insecure about it? You should use `$_FILES` obviously, but there's nothing 'wrong' with this code. – Niels Keurentjes Jan 05 '14 at 16:04
  • Why are you checking a `GET` variable for a `POST` request? That's highly inconsistent. The request is either POST or GET. While you can do what you're doing, I'd recommend to stick to only one method. – Francisco Presencia Jan 05 '14 at 16:11
  • possible duplicate of [Can input written to a file be maliciously tampered?](http://stackoverflow.com/questions/14555392/can-input-written-to-a-file-be-maliciously-tampered) – SilverlightFox Sep 05 '14 at 09:30

1 Answers1

-1

You can check if it is an uploaded file via HTTP using is_uploaded_file: http://www.w3schools.com/php/func_filesystem_is_uploaded_file.asp

<?php
$file = "test.txt";
if(is_uploaded_file($file))
  {
  echo ("$file is uploaded via HTTP POST");
  }
else
  {
  echo ("$file is not uploaded via HTTP POST");
  }
?>
Christian Giupponi
  • 7,408
  • 11
  • 68
  • 113