I want to restrict people from uploading executatble file in php. I am trying to do it but its still not getting it done. I am using move_uploaded_file function with if condition to check it. Can anyone help me regarding this?
You check the file-extension of the uploaded file, and depending on whether or not they're found in allowed files array, you do what you want to do. You can also check mime types and such, but that should be another check, and not the sole check
<?PHP ... $fileName = $_FILES['file_input_name']['name']; $fileArray = explode('.', $fileName); $fileExt = count($fileArray) - 1; $fileExt = $fileArray[$fileExt]; $allowedExt = array("png", "jpg", "jpeg", "gif"); //Put allowed file extensions here if(in_array($fileExt, $allowedExt)) { } else { echo "The file type of the file you are trying to upload is not allowed"; exit; } $fileType = $_FILES['file_input_name']['type']; $allowedTypes = array("image/png", "image/gif", "image/jpg"); //Put allowed file mime types here if(in_array($fileType, $allowedTypes)) { } else { echo "The file type of the file you are trying to upload is not allowed"; exit; } move_uploaded_file($_FILES['file_input_name']['tmp_name'], "New Location"); echo "File uploaded!"; ... ?> Code (markup):
You can use following code to check whether file type suits you or not <?php if (($_FILES["file"]["type"] != "application/msword") || ($_FILES["file"]["type"] != "application/vnd.ms-excel ") || ($_FILES["file"]["type"] != "application/vnd.ms-powerpoint")) { echo "Invalid file type"; } ?> Code (markup):
Godamnit people, stop relying on the mime type in the $_FILES array. Seriously, where does it say this is a good idea? I want to know what site it is and take it off the internet. You might as well add a message to your form saying "Please be a chap and only upload good files, will ya?" That's equally secure and it's 5 lines shorter than the PHP code that achieves the same.
The code I used checks the mime type and the final extension of the file. It's not completely secure and can be bypassed but why not through it in anyways in addition to whatever else you're doing to checking the file? It's just a few extra lines of code. And if neither of these seem like viable options why not suggest a method of checking file types without mime types that you believe is more effective.
Well to be honest your code is okay. It was more about mymindrules's code. If you check for the mime type in addition to other checks, that's fine. Although it's not really necessary since it's super easy to bypass and can't be trusted. Ever. You're much better off using PHP's fileinfo extension. It's a much more reliable way to get information about a file. Furthermore, you can store uploaded files outside your public directories so they can't be triggered through the browser. If you need to access the files at some point, you can use functions like readfile() to get their contents without actually executing the file. Or you can store them in BLOB fields in a database. I probably wouldn't recommend this if you're expecting a lot of files, though. Then there's whitelisting the extensions, like you're doing above. This is the most important thing to do, to be honest.
Get the exact file type not MIME, try this <?php $file = pathinfo($_FILES['file']['name']); echo $file['extension']; ?> Code (markup):