Asday Posted July 9, 2007 Share Posted July 9, 2007 I have some code that uploads a file, and now I want to restrict types. I want to let people upload: bmp, jpg, gif, (done) php, htm, html, xml, (Don't know how) If someone could please post the necessary filetypes for the second list please. (jpg = image/jpeg, bmp = image/bmp, gif = image/gif) Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 You could perform a regex match on the filename using this pattern: /\.(?:bmp|gif|jpe?g)$/i if (eregi('\.(?:bmp|gif|jpe?g)$',$filename)) { //upload here } else { echo 'Invalid file';} } Something like that. Quote Link to comment Share on other sites More sharing options...
trq Posted July 9, 2007 Share Posted July 9, 2007 You seriously do not want people to be able to upload php files. Doing so could quite easily wipe out your entire site. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 \.(?:php|html?|xml)$ Although I agree with thorpe: \.(?:html?|xml)$ Quote Link to comment Share on other sites More sharing options...
Asday Posted July 9, 2007 Author Share Posted July 9, 2007 Well, I don't understand the code samples there... I was thinking more like this: <?php if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/bmp") // || ($_FILES["file"]["type"] == "php/php") || ($_FILES["file"]["type"] == "text/plain")) ?> You seriously do not want people to be able to upload php files. Doing so could quite easily wipe out your entire site. Not just my site. My entire server. All they need is the System command, I believe. PHP genius next to me just told me. (He's hard at work, though) EDIT: I need the MIME type, please. That would have made things simple. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 That should work OK. If the user is trying to hide a file type (I've seen this happen before) by renaming one file as another this should stop it. Using eregi() will only check the filename, not the file itself. I've not checked using this method so I think HTML, HTM, PHP and XML files would show as "text/plain" Quote Link to comment Share on other sites More sharing options...
Asday Posted July 9, 2007 Author Share Posted July 9, 2007 That should work OK. If the user is trying to hide a file type (I've seen this happen before) by renaming one file as another this should stop it. Using eregi() will only check the filename, not the file itself. I've not checked using this method so I think HTML, HTM, PHP and XML files would show as "text/plain" That code I just posted allows only .jpg .bmp .gif and .txt files. I want to be able to upload .html .htm .xml and .php too. They are not text/plain files, as when I try to upload any of them it fails. Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 Do you get an error message? Showign some code would also be a start... Quote Link to comment Share on other sites More sharing options...
Asday Posted July 9, 2007 Author Share Posted July 9, 2007 Do you get an error message? Showign some code would also be a start... Nope, blank page. Here's my code: <?php if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/bmp") // || ($_FILES["file"]["type"] == "php/php") || ($_FILES["file"]["type"] == "text/plain")) { if ($_FILES["file"]["error"] > 0) { echo "Error: " . $FILES["file"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . (($_FILES["file"]["size"] / 1024) / 1024) . "MB<br />"; echo "Stored in: " . $_FILES["file"]["tmp_name"] . "<br /><br />"; if (file_exists("upload/" . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists, foof!"; echo '<a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true">Return</a>' . ' to the page you were on.'; } else { move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]); echo 'It`s now <a href="/upload/' . $_FILES["file"]["name"] . '">here.</a> Tell your friends!<br />'; echo '<a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true">Return</a>' . ' to the page you were on.'; } } } ?> Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 Without knowing what the variables are containing its a little tricky reading through it. One thing I do when I get if() statements that don't appear to be behaving is place a load of "echo" lines throughout the script just displaying numbers. One before if(), one inside each condition and see what I get in my browser. Quote Link to comment Share on other sites More sharing options...
Asday Posted July 9, 2007 Author Share Posted July 9, 2007 Not quite sure what you're trying to achieve. It's meant to do nothing if it get's a file I don't want uploaded. The way to make it stop doing that, is to add another OR for another MIME type at the top, which is what I want to do. All I want, is to know what the mime types for htm, html, php and xml are. The ones on filext for php didn't work, so I've come here. EDIT: Found the mimetypes for html and xml: ... if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/bmp") || ($_FILES["file"]["type"] == "text/html") || ($_FILES["file"]["type"] == "text/xml") // || ($_FILES["file"]["type"] == "php/php") || ($_FILES["file"]["type"] == "text/plain")) ... Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 Gotcha!!! umm... I've no idea lol http://www.december.com/html/spec/mime.html That shows a load of MIME types... Quote Link to comment Share on other sites More sharing options...
Asday Posted July 9, 2007 Author Share Posted July 9, 2007 Gotcha!!! umm... I've no idea lol http://www.december.com/html/spec/mime.html That shows a load of MIME types... Thanks for that link, useful, but php not there. I was looking here: http://www.phpfreaks.com/mimetypes.php Quote Link to comment Share on other sites More sharing options...
Yesideez Posted July 9, 2007 Share Posted July 9, 2007 application/xml text/xml xml text/html html htm No PHP - guess it's not present! Quote Link to comment Share on other sites More sharing options...
Asday Posted July 9, 2007 Author Share Posted July 9, 2007 application/xml text/xml xml text/html html htm No PHP - guess it's not present! Surely there isn't all the MIME types ever. For instance, there is no torrent. No psd. No exe. EDIT: Apparently, php has no MIME type. (I got the script to echo it) EDIT2: Also apparently, what I want to do is impossible. Well, I could get it to check systematically EVERY SINGLE MIME type ever, and if it is, disallow it. Needless to say, I won't do that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.