Jump to content

Recommended Posts

Hi. I'm making a file-sharing website but how do I stop users from uploading certain extensions?

Here is my script so far:

 

<?php

session_start();

$file_name = $HTTP_POST_FILES['ufile']['name'];

$random_digit=rand(0000,9999);

$new_file_name=$random_digit.$file_name;

$path= "upload/".$new_file_name;

if($ufile !=none)

{

if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))

{

echo "Successful<BR/>";

}

else

{

echo "Error";

}

}

?>

Link to comment
https://forums.phpfreaks.com/topic/253982-restrict-file-extensions/
Share on other sites

you will want to the compare the mime of the file to the $_FILES[filename][type] value.

I like to store the valid extensions in an array and compare the array of values to the mime type of the given file using a conditional statement.

you will want to the compare the mime of the file to the $_FILES[filename][type] value.

I like to store the valid extensions in an array and compare the array of values to the mime type of the given file using a conditional statement.

May you explain how to do that?

I can't get this to work?

<?php 
$target = "upload/"; 
$target = $target . basename( $_FILES['uploaded']['name']) ; 
$ok=1; 

if ($uploaded_size > 350000) 
{ 
echo "Your file is too large.<br>"; 
$ok=0; 
} 
if (isset($uploaded_type) && $uploaded_type ==”text/php”)
{
echo “No PHP files”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/cgi”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/html”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/asp”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/pl”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/gif”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/jpg”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/png”)
{
echo “Not an approved file type.”;
$ok=0;
}
if (isset($uploaded_type) && $uploaded_type ==”text/tif”)
{
echo “Not an approved file type.”;
$ok=0;
}
if ($ok==0)
{
Echo “Sorry your file was not uploaded”;
}
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo “The file “. basename( $_FILES['uploaded']['name']). ” has been uploaded”;
}
else
{
echo “Sorry, there was a problem uploading your file.”;
}
}
?>

Try something like this, add any allowed mime types in the allowed array.

I also see the wrong type quotes in your code, try using an editor that does not convert quotes, notepad2 works great.

 

The proper double quote is ", not “ or ”

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_POST['submit'])) {
$allowed_array = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
if ($_FILES["file"]["error"] > 0) {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  } else {
  
if(in_array($_FILES["file"]["type"],$allowed_array)){  
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  } else {
  echo $_FILES["file"]["type"] . " not allowed";
  }
}

} else {
echo "Select your file to upload.";
}

?>

Some changes to the previous code, also added checking for extensions within the allowed mime types.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES["file"]["error"] > 0) {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  } else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){  
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed";
  }
}

} else {
echo "Select your file to upload.";
}

?>

Some changes to the previous code, also added checking for extensions within the allowed mime types.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES["file"]["error"] > 0) {
  echo "Error: " . $_FILES["file"]["error"] . "<br />";
  } else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){  
  echo "Upload: " . $_FILES["file"]["name"] . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
  echo "Stored in: " . $_FILES["file"]["tmp_name"];
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed";
  }
}

} else {
echo "Select your file to upload.";
}

?>

Thanks! Quick question though, where do I put your script in proportion to the original? I tried mingling it in but must have put it in the wrong place because some times I got it being treated as two different scripts and sometimes being presented with an error?

Where do I put the original?

 

Thanks!

There seems to be items missing from that tutorial.

 

Don't foget to have a folder named upload in the same directory as this script is, or change your target path.

pretty sure I added the essentials to this, also included a timestamp to the front of the file name so you don't have duplicate named files.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {
$timestamp = time();
$target = "upload/"; 
$target = $target . basename($_FILES['uploaded']['name']) ; 
$ok=1;

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES['file']['size'] > 350000) {
$max_size =  round(350000 / 1024);
echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; 
$ok=0;
} 

if ($_FILES["file"]["error"] > 0) {
echo "Error: " . $_FILES["file"]["error"] . "<br />";
$ok=0;
} else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){
$filename = $timestamp."-".$_FILES["file"]["name"]; 
  echo "Name: " . $filename . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />";
  //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />";
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed <br />";
  $ok=0;
  }
}
if($ok == 1){
@move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename);
$file_location = $target . $filename;
if(file_exists($file_location)){
echo "Uploaded to <a href='$file_location'>$filename</a> <br />";
} else {
echo "There was a problem saving the file. <br />";
}

}
} else {
echo "Select your file to upload.";
}

?>

 

You can use the file types with if/else or a switch statement and display a resized image if was an image, a link if was a file, an embed if audio or video, etc....

I just made it a hyperlink for simplicity.

There seems to be items missing from that tutorial.

 

Don't foget to have a folder named upload in the same directory as this script is, or change your target path.

pretty sure I added the essentials to this, also included a timestamp to the front of the file name so you don't have duplicate named files.

 

<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html> 


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {
$timestamp = time();
$target = "upload/"; 
$target = $target . basename($_FILES['uploaded']['name']) ; 
$ok=1;

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES['file']['size'] > 350000) {
$max_size =  round(350000 / 1024);
echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; 
$ok=0;
} 

if ($_FILES["file"]["error"] > 0) {
echo "Error: " . $_FILES["file"]["error"] . "<br />";
$ok=0;
} else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){
$filename = $timestamp."-".$_FILES["file"]["name"]; 
  echo "Name: " . $filename . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />";
  //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />";
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed <br />";
  $ok=0;
  }
}
if($ok == 1){
@move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename);
$file_location = $target . $filename;
if(file_exists($file_location)){
echo "Uploaded to <a href='$file_location'>$filename</a> <br />";
} else {
echo "There was a problem saving the file. <br />";
}

}
} else {
echo "Select your file to upload.";
}

?>

 

You can use the file types with if/else or a switch statement and display a resized image if was an image, a link if was a file, an embed if audio or video, etc....

I just made it a hyperlink for simplicity.

 

You are a life saver. Thank you very very very much.  :D

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.