PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
i have a PHP upload script, that very much works, but it dosn't filter any file types out. i want to be able to block certain file types. or if thats not possible, then just specify which file types. but i'd be much better if i could block. anyway, here is my code:
<?php
// Where the file is going to be placed
$target_path = "uploads/";
/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
$_FILES['uploadedfile']['tmp_name'];
?>
<?php
//$web_two = "<a href=http://www.csscobalt.com/uploads/"
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
?>
Last edited by JustinMs66 on Mon Sep 04, 2006 9:44 pm, edited 1 time in total.
Like posted in the other thread, there is hundreds of possible file types out there, even if you have 32 file types people are uploading, it would still be easier to just add them. The functions posted on the other thread will answer your question.
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
echo 'The picture is not a gif';
}
?>
If you really want basic blocking, you should use print_r() and view what the super global variable $_FILES returns when you upload a file. If you notice, it has the mime type of the file, then just upload the files you don't want, and it will give you what to block. As you said in the other post, you're no PHP expert, but you will never get any better if people code everything for you.
i'm not exactly an expert on PHP so i'm not exactly sure what you said... but like the example code that u just gave...that would be if you ONLY wanted .gif's rite? or could you do:
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
echo 'The picture is not a gif';
//AND
}
if (exif_imagetype('image.jpg') != IMAGETYPE_JPG) {
echo 'The picture is not a jpg';
}
?>
<?php
$bad_types = array(
'application/octet-stream' // .exe
'text/html' // html files
);
if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
/*
* Code placed here will run when the user uploads a bad file type
*/
}
?>
For most cases mime type checking is enough, but remember that you are using the mime type that is provided by the user's browser and not php. Further checks may be required to insure that the file is of the type that the user's browser claims it to be.
TexoCMS (see signature) uses both a client side approach and server side to validating uploaded files...
Here's the thing, checking strictly base don file extension isn't secure on most PHP installs as I found out the hard way
PHP will execute a file with the extension GIF if thrown at it...I'm sure there is a setting somewhere that limits which files PHP should parse and execute, but by default...this isn't the case...
The answer is 'yes.' The rest of your code for processing the file should go in an 'else' statement. However, you do not need to put the code in an 'else' statement if your php code for handling bad files contains 'die()', 'exit(), or any other function that discontinues script execution. I don't know if I explained that clearly, but If that last sentence doesn't make sense to you, then don't worry about it; just add the 'else' statement and you'll be fine.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<?php
$bad_types = array(
'application/octet-stream' // .exe
// 'text/html' // html files
);
if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
/*
* Code placed here will run when the user uploads a bad file type
*/
echo "That File type is not supported. go to hell.";
}
else
{
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
?>
</body>
</html>
That means the php parser got to the closing php tag ('?>') before it expected. You need to insert one more closing brace ('}') before the closing tag.
Also, make sure that the directory you are trying to upload to exists and is write-able. You can either do this manually, or by using the mkdir function