Jump to content

Restrict file extensions?

luigimia

By luigimia
in PHP Coding Help

 Share

Recommended Posts

luigimia Newbie

luigimia

Posted
Posted

Hi. I'm making a file-sharing website but how do I stop users from uploading certain extensions?

Here is my script so far:

 

<?php

session_start();

$file_name = $HTTP_POST_FILES['ufile']['name'];

$random_digit=rand(0000,9999);

$new_file_name=$random_digit.$file_name;

$path= "upload/".$new_file_name;

if($ufile !=none)

{

if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))

{

echo "Successful<BR/>";

}

else

{

echo "Error";

}

}

?>

Link to comment
https://forums.phpfreaks.com/topic/253982-restrict-file-extensions/
Share on other sites
AyKay47 Member

AyKay47

Posted
Posted

you will want to the compare the mime of the file to the $_FILES[filename][type] value.

I like to store the valid extensions in an array and compare the array of values to the mime type of the given file using a conditional statement.

luigimia Newbie

luigimia

Posted
  • Author
Posted

you will want to the compare the mime of the file to the $_FILES[filename][type] value.

I like to store the valid extensions in an array and compare the array of values to the mime type of the given file using a conditional statement.

May you explain how to do that?

luigimia Newbie

luigimia

Posted
  • Author
Posted

I can't get this to work?

<?php 
$target = "upload/"; 
$target = $target . basename( $_FILES['uploaded']['name']) ; 
$ok=1; 

if ($uploaded_size > 350000) 
{ 
echo "Your file is too large.<br>"; 
$ok=0; 
} 
if (isset($uploaded_type) && $uploaded_type ==”text/php”)
{
echo “No PHP files”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/cgi”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/html”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/asp”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/pl”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/gif”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/jpg”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/png”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/tif”)
{
echo “Not an approved file type.”;
$ok=0;
}
if ($ok==0)
{
Echo “Sorry your file was not uploaded”;
}
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo “The file “. basename( $_FILES['uploaded']['name']). ” has been uploaded”;
}
else
{
echo “Sorry, there was a problem uploading your file.”;
}
}
?>

QuickOldCar Regular Member

QuickOldCar

Posted
Posted

Try something like this, add any allowed mime types in the allowed array.

I also see the wrong type quotes in your code, try using an editor that does not convert quotes, notepad2 works great.

 

The proper double quote is ", not “ or ”

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_POST['submit'])) {
$allowed_array = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
if ($_FILES["file"]["error"] > 0) {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  } else {
  
if(in_array($_FILES["file"]["type"],$allowed_array)){  
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  } else {
  echo $_FILES["file"]["type"] . " not allowed";
  }
}

} else {
echo "Select your file to upload.";
}

?>

QuickOldCar Regular Member

QuickOldCar

Posted
Posted

Some changes to the previous code, also added checking for extensions within the allowed mime types.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES["file"]["error"] > 0) {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  } else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){  
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed";
  }
}

} else {
echo "Select your file to upload.";
}

?>

luigimia Newbie

luigimia

Posted
  • Author
Posted

Some changes to the previous code, also added checking for extensions within the allowed mime types.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES["file"]["error"] > 0) {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  } else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){  
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed";
  }
}

} else {
echo "Select your file to upload.";
}

?>

Thanks! Quick question though, where do I put your script in proportion to the original? I tried mingling it in but must have put it in the wrong place because some times I got it being treated as two different scripts and sometimes being presented with an error?

Where do I put the original?

 

Thanks!

QuickOldCar Regular Member

QuickOldCar

Posted
Posted

There seems to be items missing from that tutorial.

 

Don't foget to have a folder named upload in the same directory as this script is, or change your target path.

pretty sure I added the essentials to this, also included a timestamp to the front of the file name so you don't have duplicate named files.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {
$timestamp = time();
$target = "upload/"; 
$target = $target . basename($_FILES['uploaded']['name']) ; 
$ok=1;

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES['file']['size'] > 350000) {
$max_size =  round(350000 / 1024);
echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; 
$ok=0;
} 

if ($_FILES["file"]["error"] > 0) {
echo "Error: " . $_FILES["file"]["error"] . "<br />";
$ok=0;
} else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){
$filename = $timestamp."-".$_FILES["file"]["name"]; 
  echo "Name: " . $filename . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />";
  //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />";
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed <br />";
  $ok=0;
  }
}
if($ok == 1){
@move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename);
$file_location = $target . $filename;
if(file_exists($file_location)){
echo "Uploaded to <a href='$file_location'>$filename</a> <br />";
} else {
echo "There was a problem saving the file. <br />";
}

}
} else {
echo "Select your file to upload.";
}

?>

 

You can use the file types with if/else or a switch statement and display a resized image if was an image, a link if was a file, an embed if audio or video, etc....

I just made it a hyperlink for simplicity.

luigimia Newbie

luigimia

Posted
  • Author
Posted

There seems to be items missing from that tutorial.

 

Don't foget to have a folder named upload in the same directory as this script is, or change your target path.

pretty sure I added the essentials to this, also included a timestamp to the front of the file name so you don't have duplicate named files.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {
$timestamp = time();
$target = "upload/"; 
$target = $target . basename($_FILES['uploaded']['name']) ; 
$ok=1;

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES['file']['size'] > 350000) {
$max_size =  round(350000 / 1024);
echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; 
$ok=0;
} 

if ($_FILES["file"]["error"] > 0) {
echo "Error: " . $_FILES["file"]["error"] . "<br />";
$ok=0;
} else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){
$filename = $timestamp."-".$_FILES["file"]["name"]; 
  echo "Name: " . $filename . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />";
  //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />";
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed <br />";
  $ok=0;
  }
}
if($ok == 1){
@move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename);
$file_location = $target . $filename;
if(file_exists($file_location)){
echo "Uploaded to <a href='$file_location'>$filename</a> <br />";
} else {
echo "There was a problem saving the file. <br />";
}

}
} else {
echo "Select your file to upload.";
}

?>

 

You can use the file types with if/else or a switch statement and display a resized image if was an image, a link if was a file, an embed if audio or video, etc....

I just made it a hyperlink for simplicity.

 

You are a life saver. Thank you very very very much.  :D

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.