Upload Script - File Type Filter - HELP!!!!!! (2 pages)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Upload Script - File Type Filter - HELP!!!!!! (2 pages)

Post by JustinMs66 »

i have a PHP upload script, that very much works, but it dosn't filter any file types out. i want to be able to block certain file types. or if thats not possible, then just specify which file types. but i'd be much better if i could block. anyway, here is my code:

Code: Select all

<?php

// Where the file is going to be placed 
$target_path = "uploads/";

/* Add the original filename to our target path.  
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
$_FILES['uploadedfile']['tmp_name'];  

?>
  
  <?php

//$web_two = "<a href=http://www.csscobalt.com/uploads/"

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded. here is the link to your file: <a href=uploads/".  basename( $_FILES['uploadedfile']['name']). ">".  basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
    echo "There was an error uploading the file, please try again!";
}

?>
Last edited by JustinMs66 on Mon Sep 04, 2006 9:44 pm, edited 1 time in total.
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Post by William »

Like posted in the other thread, there is hundreds of possible file types out there, even if you have 32 file types people are uploading, it would still be easier to just add them. The functions posted on the other thread will answer your question.

Functions: exif_imagetype() print_r()

As you can see on the example on PHP.net for the function exif_imagetype(). You can do the following:

Code: Select all

<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
   echo 'The picture is not a gif';
}
?>
If you really want basic blocking, you should use print_r() and view what the super global variable $_FILES returns when you upload a file. If you notice, it has the mime type of the file, then just upload the files you don't want, and it will give you what to block. As you said in the other post, you're no PHP expert, but you will never get any better if people code everything for you.
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

:( i'm not exactly an expert on PHP :( so i'm not exactly sure what you said... but like the example code that u just gave...that would be if you ONLY wanted .gif's rite? or could you do:

?

Code: Select all

<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
   echo 'The picture is not a gif';
//AND
}
if (exif_imagetype('image.jpg') != IMAGETYPE_JPG) {
   echo 'The picture is not a jpg';
}
?>
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

? :?:
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

To block certain mime file types you can create an array and compare it to the mime type provided by the user's browser:

Code: Select all

<?php
$bad_types = array(
    'application/octet-stream' // .exe
    'text/html' // html files
);

if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
	/*
	 * Code placed here will run when the user uploads a bad file type
	 */
}
?>
Here is a link to a list of file extension and their corresponding mime types: http://www.webmaster-toolkit.com/mime-types.shtml

For most cases mime type checking is enough, but remember that you are using the mime type that is provided by the user's browser and not php. Further checks may be required to insure that the file is of the type that the user's browser claims it to be.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

TexoCMS (see signature) uses both a client side approach and server side to validating uploaded files...

Here's the thing, checking strictly base don file extension isn't secure on most PHP installs as I found out the hard way :P

PHP will execute a file with the extension GIF if thrown at it...I'm sure there is a setting somewhere that limits which files PHP should parse and execute, but by default...this isn't the case...

Take that into consideration ;)
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

Gavin.Monroe, so like i see where i would put the code if it was a BAD file, but if it was good...would i just do an "else" + code at the bottom?
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

The answer is 'yes.' The rest of your code for processing the file should go in an 'else' statement. However, you do not need to put the code in an 'else' statement if your php code for handling bad files contains 'die()', 'exit(), or any other function that discontinues script execution. I don't know if I explained that clearly, but If that last sentence doesn't make sense to you, then don't worry about it; just add the 'else' statement and you'll be fine.
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

it says:

Parse error: syntax error, unexpected $end in /home/csscobalt.com/20/upload.php on line 40

and that line, in the upload.php, is the last line. it's:
</html>

...?

or here is my whole code:

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<?php
$bad_types = array(
    'application/octet-stream' // .exe
 //   'text/html' // html files
);

if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
        /*
         * Code placed here will run when the user uploads a bad file type
		
         */
		 echo "That File type is not supported. go to hell.";
}
else
{

$target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 


if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded. here is the link to your file: <a href=uploads/".  basename( $_FILES['uploadedfile']['name']). ">".  basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
    echo "There was an error uploading the file, please try again!";
}

?>
</body>
</html>
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

That means the php parser got to the closing php tag ('?>') before it expected. You need to insert one more closing brace ('}') before the closing tag.
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

ok yea that worked, thnx. i put 1 more } in. but now it's sayin:

There was an error uploading the file, please try again!

oh and btw this is what i have in my "index.html" file, in case it helps:

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<form method='post' action='upload.php'>
<input type='file' name='uploadedfile' /><br />
<input type='submit' value='Upload File' />
</form>
</body>
</html>
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

You form tag needs to read:

Code: Select all

<form method='post' action='upload.php' enctype='multipart/form-data'>
Also, make sure that the directory you are trying to upload to exists and is write-able. You can either do this manually, or by using the mkdir function
User avatar
Gavin.Monroe
Forum Newbie
Posts: 12
Joined: Mon Sep 04, 2006 12:09 am
Location: Chesapeake, VA
Contact:

Post by Gavin.Monroe »

By the way, somtimes exes will be reported as 'application/x-msdos-program'.
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

ok technically that worked....althought i tried uploading a .exe file and it worked. :( cuz remember i blocked .EXE files.

Code: Select all

$bad_types = array(
    'application/octet-stream' // .exe
so how do i fix this?
User avatar
JustinMs66
Forum Contributor
Posts: 127
Joined: Sun Sep 03, 2006 4:18 pm

Post by JustinMs66 »

ok gotcha. u read my mind lol. but so i do this:

Code: Select all

$bad_types = array(
    'application/octet-stream' // .exe
	'application/x-msdos-program'

);
and it says:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /home/sscobalt.com/20/upload.php on line 12

and like 12 is:
'application/x-msdos-program'
Post Reply