1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How can we restrict uploading file type in php

Discussion in 'PHP' started by grandseo, Nov 8, 2013.

  1. #1
    I want to restrict people from uploading executatble file in php. I am trying to do it but its still not getting it done. I am using move_uploaded_file function with if condition to check it. Can anyone help me regarding this?
     
    grandseo, Nov 8, 2013 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    You check the file-extension of the uploaded file, and depending on whether or not they're found in allowed files array, you do what you want to do.

    You can also check mime types and such, but that should be another check, and not the sole check
     
    PoPSiCLe, Nov 8, 2013 IP
  3. Pudge1

    Pudge1 Well-Known Member

    Messages:
    912
    Likes Received:
    6
    Best Answers:
    1
    Trophy Points:
    140
    Digital Goods:
    1
    #3
    
    <?PHP
    ...
    $fileName = $_FILES['file_input_name']['name'];
    
    $fileArray = explode('.', $fileName);
    
    $fileExt = count($fileArray) - 1;
    
    $fileExt = $fileArray[$fileExt];
    
    $allowedExt = array("png", "jpg", "jpeg", "gif"); //Put allowed file extensions here
    
    if(in_array($fileExt, $allowedExt))
    {
    }
    else
    {
    echo "The file type of the file you are trying to upload is not allowed";
    exit;
    }
    
    $fileType = $_FILES['file_input_name']['type'];
    
    $allowedTypes = array("image/png", "image/gif", "image/jpg"); //Put allowed file mime types here
    
    if(in_array($fileType, $allowedTypes))
    {
    }
    else
    {
    echo "The file type of the file you are trying to upload is not allowed";
    exit;
    }
    
    move_uploaded_file($_FILES['file_input_name']['tmp_name'], "New Location");
    echo "File uploaded!";
    
    ...
    ?>
    
    Code (markup):
     
    Pudge1, Nov 8, 2013 IP
  4. mymindrules

    mymindrules Greenhorn

    Messages:
    76
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    23
    #4
    You can use following code to check whether file type suits you or not
    <?php
    
    if (($_FILES["file"]["type"] != "application/msword")
    || ($_FILES["file"]["type"] != "application/vnd.ms-excel ")
    || ($_FILES["file"]["type"] != "application/vnd.ms-powerpoint"))
      {
      echo "Invalid file type";
      }
    ?>
    Code (markup):
     
    mymindrules, Nov 8, 2013 IP
    grandseo likes this.
  5. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #5
    Godamnit people, stop relying on the mime type in the $_FILES array. Seriously, where does it say this is a good idea? I want to know what site it is and take it off the internet.

    You might as well add a message to your form saying "Please be a chap and only upload good files, will ya?" That's equally secure and it's 5 lines shorter than the PHP code that achieves the same.
     
    nico_swd, Nov 9, 2013 IP
  6. Pudge1

    Pudge1 Well-Known Member

    Messages:
    912
    Likes Received:
    6
    Best Answers:
    1
    Trophy Points:
    140
    Digital Goods:
    1
    #6
    The code I used checks the mime type and the final extension of the file. It's not completely secure and can be bypassed but why not through it in anyways in addition to whatever else you're doing to checking the file? It's just a few extra lines of code. And if neither of these seem like viable options why not suggest a method of checking file types without mime types that you believe is more effective.
     
    Pudge1, Nov 9, 2013 IP
  7. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #7
    Well to be honest your code is okay. It was more about mymindrules's code. If you check for the mime type in addition to other checks, that's fine. Although it's not really necessary since it's super easy to bypass and can't be trusted. Ever.

    You're much better off using PHP's fileinfo extension. It's a much more reliable way to get information about a file.

    Furthermore, you can store uploaded files outside your public directories so they can't be triggered through the browser. If you need to access the files at some point, you can use functions like readfile() to get their contents without actually executing the file.

    Or you can store them in BLOB fields in a database. I probably wouldn't recommend this if you're expecting a lot of files, though.

    Then there's whitelisting the extensions, like you're doing above. This is the most important thing to do, to be honest.
     
    nico_swd, Nov 9, 2013 IP
    Pudge1 likes this.
  8. donjajo

    donjajo Active Member

    Messages:
    14
    Likes Received:
    0
    Best Answers:
    1
    Trophy Points:
    51
    #8
    Get the exact file type not MIME, try this
    
    <?php
    $file = pathinfo($_FILES['file']['name']);
    echo $file['extension'];
    ?>
    Code (markup):
     
    donjajo, Nov 9, 2013 IP