Zchoppa Posted September 15, 2015 Share Posted September 15, 2015 I'm trying to create an upload form for my website- I want to restrict the allowed file types to WAV files and not allow any other file types. With the code I'm using, the form does not allow ANY file type. Why is this? Here's my script: <?php $target = "upload/"; $target = $target . basename( $_FILES['uploaded']['name']) ; $ok=1; if (!($uploaded_type == "audio/wav")) { echo "You may only upload WAV files.<br>"; $ok=0; } if ($ok==0) { Echo "Sorry your file was not uploaded"; } else { if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) { echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded"; } else { echo "Sorry, there was a problem uploading your file."; } } ?> of course when I comment out the bit " if (!($uploaded_type == "audio/wav")).... " it allows all file types, which I do not want. Thanks Quote Link to comment Share on other sites More sharing options...
secweb Posted September 15, 2015 Share Posted September 15, 2015 Where is $uploaded_type set? At the moment I'd say it'll be null... Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted September 15, 2015 Share Posted September 15, 2015 (edited) Kinda odd to just allow wav files and not other audio, especially since a few can work in a html5 player. finfo_file() the only way to ensure the file is exactly the type mime_content_type() deprecated in newer php versions You would want to check the actual mime type of the file before you do the move. Can knock some checks out early just by looking for any allowed extensions //single type and file as you have if(end(explode(".", strtolower($_FILES['uploadedfile']['name']))) == "wav") { //check real mime type, if passes check if successful move } else { //toss an error or take any actions want } //multiple audio types $allowedExtensions = array("mp3","mp4","wav","ogg","flac","wma","wax"); if (in_array(end(explode(".", strtolower($_FILES['uploadedfile']['name']))),$allowedExtensions)){ //check real mime type, if passes check if successful move } else { //toss an error or take any actions want } If did both checks and turns out is actually different, may want to take a look at whoever is uploading it. Edited September 15, 2015 by QuickOldCar Quote Link to comment Share on other sites More sharing options...
maxxd Posted September 15, 2015 Share Posted September 15, 2015 Remember that file extensions can be changed very easily, so though QOC's $allowedExtensions check will easily and efficiently cull out the ridiculous uploads, it's certainly not difficult to bypass; you'll absolutely want to also do the mime type check as described. Quote Link to comment Share on other sites More sharing options...
Zchoppa Posted September 15, 2015 Author Share Posted September 15, 2015 Thanks for the replies, it's on it's way to what I wanted now. Making a lot more sense. The reason I only allow wav files is because the service I'm offering from this upload form is Audio Mastering, and a wav or at least FLAC file is typically used over a compressed file like an mp3. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.