Applying File size and extension

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
5uperMario
Forum Newbie
Posts: 4
Joined: Mon Jul 20, 2009 3:35 am

Applying File size and extension

Post by 5uperMario »

Hi

I'm new to the world of PHP but anyway
I ahve this script to upload a file to the server.

Pretty simple
What it does is upload the file and assigns a random number to the file

Now I want it to limit the file size and type of file
If it exceeds size or is a denied file extensions (ex. php) it displays a error

Code: Select all

 
if ($uploaded_size > 350000)
{
echo "Your file is too large.<br>";
$ok=0;
} 
 
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
} 
 
I added it to my script, so far it worked when I uploaded a php file
but it looked like this:
this file is not allowed.the file uploaded successful

So it displays a error, but it still uploaded the file
I tried doing this many a ways
I cant seem to get it to work
either it displays a error and does it for all files
or displays a error and still uploads

here is my upload script:

Code: Select all

 
<?php
 
echo "<html><head><title>Uploads For ALL - Uploaded File</title></head><body bgcolor=\"black\" text=\"white\" vlink=\"white\">";
echo "<center>";
if (file_exists("favicon.ico")) {
        echo "<link REL=\"shortcut icon\" HREF=\"favicon.ico\" TYPE=\"image/x-icon\">\n";
    } 
 
//This function separates the extension from the rest of the file name and returns it
function findexts ($filename)
{
$filename = strtolower($filename) ;
$exts = split("[/\\.]", $filename) ;
$n = count($exts)-1;
$exts = $exts[$n];
return $exts;
$ok = 1;
$ok = 0;
}
$ext = findexts ($_FILES['uploaded']['name']) ; 
    $ran = rand () ;
    $ran2 = $ran.".";
    $target = "images/";
    $target = $target . $ran2.$ext; 
 
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file has been uploaded as ".$ran2.$ext;
echo "<br>The file is located here: http://www.pspdd.comze.com/upload/images/".$ran2.$ext;
echo "<br>Click <a href=\"http://www.pspdd.comze.com/upload/images/$ran2$ext\">Here</a> to view/download the file.";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
 
echo "<form><input type=\"button\" value=\"Back to Home\" onClick=\"javascript&#058;history.go(-1)\"></form>";
echo "<form method=\"post\"><input type=\"button\" value=\"Close Page\" onclick=\"window.close()\"></form>";
echo "</center>";
?> 
 
Is this solvable?
I dont want PHP files to be uploaded and max file size is 2MB but ever other file is allowed.

Thanks
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Applying File size and extension

Post by jackpf »

I wouldn't make a black list of file types if I were you, rather, a white list.

And I think PHP file type is application/x-httpd-php
DaiWelsh
Forum Commoner
Posts: 36
Joined: Wed Jan 08, 2003 9:39 am
Location: Derbyshire, UK

Re: Applying File size and extension

Post by DaiWelsh »

Code below works with faked files but I haven't tested with actual uploads.

As previous poster I would do a whitelist (extensions to allow) rather than blacklist (extensions to disallow) as it is safer, but depends on your scenario. If you do want blacklist remove the ! to change

Code: Select all

if(!in_array($ext,$arrValidExts)) {
to

Code: Select all

if(in_array($ext,$arrValidExts)) {
HTH,

Dai

Code: Select all

 
$strFile = $_FILES['uploaded']['tmp_name'];
$strFileName = $_FILES['uploaded']['name']
$arrValidExts = array('jpg','gif','xyz'); // put allowed extension here
$intMaxSize = 350000; // put max filesize in bytes here
 
$bolAllowed = true;
$ext = findexts ($strFileName); 
if(!in_array($ext,$arrValidExts)) {
    $bolAllowed = false;
}
if(filesize($strFile) > $intMaxSize) {
    $bolAllowed = false;
}
if($bolAllowed) {
    echo('Do upload');
    // put your upload handling code in here
} else {
    echo('Dont do upload');
    // failed upload code in here
}
 
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: Applying File size and extension

Post by onion2k »

jackpf wrote:And I think PHP file type is application/x-httpd-php
Not that you'd ever want to trust the incoming MIME type not to be faked... That's as bad as trusting the file extension.

Just let people upload what they like, but make sure the directory you save the files to is excluded from running any scripts. Create a .htaccess file in the upload directory with a directive setting of "php_value engine off".
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Applying File size and extension

Post by Benjamin »

Or the fact that the mime type doesn't matter if it has a php extension or an extension that the server will execute as php.
5uperMario
Forum Newbie
Posts: 4
Joined: Mon Jul 20, 2009 3:35 am

Re: Applying File size and extension

Post by 5uperMario »

hey thanks guys
I managed to get it working now. a few adjustments and it works now
For types allowed, it uploads, for denied types, it displays error(dont upload)

Oh thanks for the white list idea too. I never thought of it that way.
Since there are hundreds of file types I would be leaving out in a black list ex. xpd dds spo ect...
and Ill try that .htaccess to disallow php from being executed in the directory

thanks
Post Reply