Page 1 of 2
Upload Script - File Type Filter - HELP!!!!!! (2 pages)
Posted: Sun Sep 03, 2006 9:57 pm
by JustinMs66
i have a PHP upload script, that very much works, but it dosn't filter any file types out. i want to be able to block certain file types. or if thats not possible, then just specify which file types. but i'd be much better if i could block. anyway, here is my code:
Code: Select all
<?php
// Where the file is going to be placed
$target_path = "uploads/";
/* Add the original filename to our target path.
Result is "uploads/filename.extension" */
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
$_FILES['uploadedfile']['tmp_name'];
?>
<?php
//$web_two = "<a href=http://www.csscobalt.com/uploads/"
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
?>
Posted: Sun Sep 03, 2006 10:11 pm
by William
Like posted in the other thread, there is hundreds of possible file types out there, even if you have 32 file types people are uploading, it would still be easier to just add them. The functions posted on the other thread will answer your question.
Functions:
exif_imagetype() print_r()
As you can see on the example on PHP.net for the function exif_imagetype(). You can do the following:
Code: Select all
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
echo 'The picture is not a gif';
}
?>
If you really want basic blocking, you should use print_r() and view what the super global variable $_FILES returns when you upload a file. If you notice, it has the mime type of the file, then just upload the files you don't want, and it will give you what to block. As you said in the other post, you're no PHP expert, but you will never get any better if people code everything for you.
Posted: Sun Sep 03, 2006 10:19 pm
by JustinMs66

i'm not exactly an expert on PHP

so i'm not exactly sure what you said... but like the example code that u just gave...that would be if you ONLY wanted .gif's rite? or could you do:
?
Code: Select all
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
echo 'The picture is not a gif';
//AND
}
if (exif_imagetype('image.jpg') != IMAGETYPE_JPG) {
echo 'The picture is not a jpg';
}
?>
Posted: Mon Sep 04, 2006 1:10 am
by JustinMs66
?

Posted: Mon Sep 04, 2006 1:45 am
by Gavin.Monroe
To block certain mime file types you can create an array and compare it to the mime type provided by the user's browser:
Code: Select all
<?php
$bad_types = array(
'application/octet-stream' // .exe
'text/html' // html files
);
if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
/*
* Code placed here will run when the user uploads a bad file type
*/
}
?>
Here is a link to a list of file extension and their corresponding mime types:
http://www.webmaster-toolkit.com/mime-types.shtml
For most cases mime type checking is enough, but remember that you are using the mime type that is provided by the user's browser and not php. Further checks may be required to insure that the file is of the type that the user's browser claims it to be.
Posted: Mon Sep 04, 2006 1:46 am
by alex.barylski
TexoCMS (see signature) uses both a client side approach and server side to validating uploaded files...
Here's the thing, checking strictly base don file extension isn't secure on most PHP installs as I found out the hard way
PHP will execute a file with the extension GIF if thrown at it...I'm sure there is a setting somewhere that limits which files PHP should parse and execute, but by default...this isn't the case...
Take that into consideration

Posted: Mon Sep 04, 2006 2:02 am
by JustinMs66
Gavin.Monroe, so like i see where i would put the code if it was a BAD file, but if it was good...would i just do an "else" + code at the bottom?
Posted: Mon Sep 04, 2006 2:09 am
by Gavin.Monroe
The answer is 'yes.' The rest of your code for processing the file should go in an 'else' statement. However, you do not need to put the code in an 'else' statement if your php code for handling bad files contains 'die()', 'exit(), or any other function that discontinues script execution. I don't know if I explained that clearly, but If that last sentence doesn't make sense to you, then don't worry about it; just add the 'else' statement and you'll be fine.
Posted: Mon Sep 04, 2006 2:27 am
by JustinMs66
it says:
Parse error: syntax error, unexpected $end in /home/csscobalt.com/20/upload.php on line 40
and that line, in the upload.php, is the last line. it's:
</html>
...?
or here is my whole code:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<?php
$bad_types = array(
'application/octet-stream' // .exe
// 'text/html' // html files
);
if ( in_array( $_FILES['uploadedfile']['type'], $bad_types ) )
{
/*
* Code placed here will run when the user uploads a bad file type
*/
echo "That File type is not supported. go to hell.";
}
else
{
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file ". basename( $_FILES['uploadedfile']['name']).
" has been uploaded. here is the link to your file: <a href=uploads/". basename( $_FILES['uploadedfile']['name']). ">". basename( $_FILES['uploadedfile']['name'])."</a>";
} else{
echo "There was an error uploading the file, please try again!";
}
?>
</body>
</html>
Posted: Mon Sep 04, 2006 2:35 am
by Gavin.Monroe
That means the php parser got to the closing php tag ('?>') before it expected. You need to insert one more closing brace ('}') before the closing tag.
Posted: Mon Sep 04, 2006 2:41 am
by JustinMs66
ok yea that worked, thnx. i put 1 more } in. but now it's sayin:
There was an error uploading the file, please try again!
oh and btw this is what i have in my "index.html" file, in case it helps:
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form method='post' action='upload.php'>
<input type='file' name='uploadedfile' /><br />
<input type='submit' value='Upload File' />
</form>
</body>
</html>
Posted: Mon Sep 04, 2006 2:55 am
by Gavin.Monroe
You form tag needs to read:
Code: Select all
<form method='post' action='upload.php' enctype='multipart/form-data'>
Also, make sure that the directory you are trying to upload to exists and is write-able. You can either do this manually, or by using the
mkdir function
Posted: Mon Sep 04, 2006 2:59 am
by Gavin.Monroe
By the way, somtimes exes will be reported as 'application/x-msdos-program'.
Posted: Mon Sep 04, 2006 3:01 am
by JustinMs66
ok technically that worked....althought i tried uploading a .exe file and it worked.

cuz remember i blocked .EXE files.
Code: Select all
$bad_types = array(
'application/octet-stream' // .exe
so how do i fix this?
Posted: Mon Sep 04, 2006 3:04 am
by JustinMs66
ok gotcha. u read my mind lol. but so i do this:
Code: Select all
$bad_types = array(
'application/octet-stream' // .exe
'application/x-msdos-program'
);
and it says:
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /home/sscobalt.com/20/upload.php on line 12
and like 12 is:
'application/x-msdos-program'