PHP Upload script with passcode/password protection

Below is the code for a PHP upload script just copy and paste it into a text file and save the textfile as a .php file (IMPORTANT: if you don't save it with a .php extension your server might not know what to do with it!) some operating systems hide the file extensions for common filetypes (e.g. program.EXE, document.TXT, picture.JPG).

Remarks: If you do not use a strong pin or remove the pin by directions below and your server is accessible by the public someone could upload a malicious file and execute it taking control of your server, deface it, or serve illegal content/ransomware/viruses/etc.


Read below the code for modifying tips.

<?PHP /* * Made by : Glimmstängel * website : https://cindar.me * LICENSE : Creative Commons [BY][SA][NC] : https://creativecommons.org/licenses/by-nc-sa/3.0/legalcode.txt */ //config $Directory = "uploaded"; /* edit me inbetween "" to set the folder you want to upload to! */ $SecretPin = 4158416828; /* put your pincode here! */ /* Remember if you don't have a secure connection (https/SSL/TLS) to your site someone could see what you're uploading and your pin! */ /* Check out https://letsencrypt.org/ for free SSL certificates, you'll have to lookup guides on how to implement it! */ //configend $respg = ""; $respb = ""; $dupe = false; function DoUpload($dir, $file, $dupe) { $resp = array("", ""); $path = $dir . "/" . $dupe . $file; if(move_uploaded_file($_FILES['file']['tmp_name'], $path)) { $resp[0] = "Your file: " . $dupe . basename( $_FILES['file']['name']) . " has been uploaded!"; $resp[1] = "good"; } else { $resp[0] = "Could not upload the file. Please make sure your settings are correct and the directory and [thisfile].php have the correct permissions."; $resp[1] = "bad"; } return $resp; } if(isset($_POST["submit"])) { if(htmlspecialchars($_POST['pin']) == $SecretPin) { if(!empty($_FILES['file'])) { if(file_exists($Directory . "/" . basename( $_FILES['file']['name']))) { $resp = DoUpload($Directory, basename( $_FILES['file']['name']), rand(1, getrandmax())); $dupe = true; } else { $resp = DoUpload($Directory, basename( $_FILES['file']['name']), ""); } if($resp[1] == "good") { $respg = $resp[0]; } if($resp[1] == "bad") { $respb = $resp[0]; } if($respb == "" && $dupe == true) { $respb = "File already existed so the name was changed!"; } } } else { die("Upload refused! INVALID PASSCODE."); } } ?>
<!DOCTYPE html> <html> <head> <title>Uploader</title> <style> body { background-color: #1e1e1e; color: #dcdcdc; } .header { font-size: 2em; text-align: center; margin-bottom: 45px; } .wraper { margin: auto; width: 60%; } .wraper > input { font-size: 1.2em; margin-bottom: 15px; margin-right: 10px; } .status, .wraper > label { font-size: 1.2em; } .good { color: limegreen; } .bad { color: crimson; } </style> </head> <body> <form enctype="multipart/form-data" method="POST"> <div class="header">My awesome File uploader!</div> <div class="wraper"> <input type="file" name="file"></input><br /> <label for="pin">Passcode: </label><input type="number" id="pin" name="pin"></input> <input type="submit" name="submit" value="Upload"></input> <div class="status good">
<?=$respg;?>
</div> <div class="status bad">
<?=$respb;?>
</div> </div> </form> </body> </html>

 

* Modifying the pin.

if you want to modify the pin number simply edit the number after = sign. (Note: It must be a number! no letters, symbols, or spaces besides the first space after =) and make sure it has the ; after the number like = 333;

$SecretPin = 4158416828;

 

* Removing the passcode protection

if you want to completely remove the pincode delete these lines

} else { die("Upload refused! INVALID PASSCODE."); }

and

if(htmlspecialchars($_POST['pin']) == $SecretPin) {

and

<label for="pin">Passcode: </label><input type="number" id="pin" name="pin"></input>

you can also remove the pin variable at the top since it's no longer needed but it won't hurt to leave it there.

$SecretPin = 4158416828;