Challenge - 5 Problems
File Upload Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
❓ Predict Output
intermediate2:00remaining
What is the output of this PHP code handling file uploads?
Consider this PHP snippet that checks the uploaded file type before saving it. What will it output if a user uploads a file named
image.php with MIME type image/jpeg?PHP
<?php $allowed_types = ['image/jpeg', 'image/png']; if (in_array($_FILES['file']['type'], $allowed_types)) { echo "Upload allowed"; } else { echo "Upload denied"; } ?>
Attempts:
2 left
💡 Hint
The code checks only the MIME type, not the file extension.
✗ Incorrect
The code checks if the MIME type is in the allowed list. Since the MIME type is 'image/jpeg', it matches and prints 'Upload allowed' even though the file extension is '.php'. This shows a security risk because the file extension is not checked.
🧠 Conceptual
intermediate1:30remaining
Which risk is NOT typically associated with file uploads?
Select the option that is NOT a common security risk when handling file uploads in PHP.
Attempts:
2 left
💡 Hint
Think about how SQL Injection usually happens.
✗ Incorrect
SQL Injection typically happens through user input in database queries, not through file uploads directly. The other options are common risks related to file uploads.
🔧 Debug
advanced2:30remaining
Why does this PHP file upload code allow dangerous files?
This PHP code tries to restrict uploads to images only. Why does it still allow uploading a PHP script named
shell.jpg?PHP
<?php $allowed_ext = ['jpg', 'jpeg', 'png']; $filename = $_FILES['file']['name']; $ext = pathinfo($filename, PATHINFO_EXTENSION); if (in_array($ext, $allowed_ext)) { move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $filename); echo "File uploaded"; } else { echo "Invalid file type"; } ?>
Attempts:
2 left
💡 Hint
Check how the extension is verified and what happens if a file is renamed.
✗ Incorrect
The code only checks the file extension from the filename. If a PHP script is renamed to have a .jpg extension, it passes the check and is uploaded, which is dangerous.
📝 Syntax
advanced1:30remaining
What error does this PHP file upload validation code produce?
Identify the error in this PHP snippet that tries to validate file size and type.
PHP
<?php if ($_FILES['file']['size'] > 2000000 && $_FILES['file']['type'] == 'image/png') { echo "File accepted"; } else { echo "File rejected"; } ?>
Attempts:
2 left
💡 Hint
What happens if the 'file' key is missing in the $_FILES array?
✗ Incorrect
If no file is uploaded, $_FILES['file'] is undefined, causing an 'Undefined index' notice or error.
🚀 Application
expert3:00remaining
How many files will be accepted by this PHP upload filter?
Given this PHP code that filters uploaded files, how many files from the list below will be accepted?
PHP
<?php $allowed_types = ['image/jpeg', 'image/png']; $allowed_ext = ['jpg', 'jpeg', 'png']; function is_file_allowed($file) { $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION)); if (in_array($file['type'], $GLOBALS['allowed_types']) && in_array($ext, $GLOBALS['allowed_ext'])) { return true; } return false; } $files = [ ['name' => 'photo.jpg', 'type' => 'image/jpeg'], ['name' => 'script.php', 'type' => 'image/jpeg'], ['name' => 'image.png', 'type' => 'image/png'], ['name' => 'document.jpg', 'type' => 'application/pdf'] ]; $count = 0; foreach ($files as $file) { if (is_file_allowed($file)) { $count++; } } echo $count; ?>
Attempts:
2 left
💡 Hint
Check both MIME type and extension for each file.
✗ Incorrect
Only 'photo.jpg' and 'image.png' have both allowed MIME types and extensions. 'script.php' has allowed MIME but wrong extension; 'document.jpg' has allowed extension but wrong MIME type.