Checking file type when uploading
in [General]
|
Prev: Session Vars loaded from MSSQL Query drop, those loaded from MYSQL Query stick (SOLVED)
Next: GD Watermark Question
From: Catherine Madsen on 17 Sep 2010 16:40 Hi! I have created a form following the PHP manual to upload files and need to restrict the upload to only PDF. How do I check the file type ($_FILES['userfile']['type']?) and where: on the form page or on the validation page? I want to be able to tell the users that their file doesn't have the right format. Thank you very much for your help! My form is : <?php session_start(); $_SESSION['new_name'] = $_POST['new_name']; ?> <form enctype="multipart/form-data" action="upload_file.php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> Upload this file: <input name="userfile" size="50" type="file" /> <input type="submit" value="Upload File" /> </form> The validation: <?php session_start(); $dirname = $_SESSION['new_name']; $uploaddir = 'my_path'. $dirname. '/'; if (!(is_dir($uploaddir))) { if (!mkdir($uploaddir,0775)) print "error: " . $uploaddir . "\n"; exit; } $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { header('Location: my_page'); } else { header('Location: my_error_page'); } ?> Catherine
From: Jim Lucas on 17 Sep 2010 17:25 Catherine Madsen wrote: > Hi! > > I have created a form following the PHP manual to upload files and need > to restrict the upload to only PDF. How do I check the file type > ($_FILES['userfile']['type']?) and where: on the form page or on the > validation page? I want to be able to tell the users that their file > doesn't have the right format. Thank you very much for your help! > > My form is : > > <?php > session_start(); > $_SESSION['new_name'] = $_POST['new_name']; > ?> > <form enctype="multipart/form-data" action="upload_file.php" method="POST"> > <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> > Upload this file: <input name="userfile" size="50" type="file" /> > <input type="submit" value="Upload File" /> > </form> > > The validation: > > <?php > session_start(); > $dirname = $_SESSION['new_name']; > $uploaddir = 'my_path'. $dirname. '/'; > if (!(is_dir($uploaddir))) > { > if (!mkdir($uploaddir,0775)) > print "error: " . $uploaddir . "\n"; > exit; > } > > $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); > if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) { > header('Location: my_page'); > } else { > header('Location: my_error_page'); > } > > ?> > Catherine > Check here http://www.w3schools.com/TAGS/att_form_accept.asp You should also verify the extension on the processing page. Someone could post the data to your processing script without using your form.
From: Peter Lind on 18 Sep 2010 05:21 On 17 September 2010 23:25, Jim Lucas <lists(a)cmsws.com> wrote: > Catherine Madsen wrote: >> Hi! >> >> I have created a form following the PHP manual to upload files and need >> to restrict the upload to only PDF. Â How do I check the file type >> ($_FILES['userfile']['type']?) and where: on the form page or on the >> validation page? Â I want to be able to tell the users that their file >> doesn't have the right format. Â Thank you very much for your help! >> You need to use something like http://www.fpdf.org/ to try and actually open the uploaded file - anyone can fake an extension. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Ashley Sheridan on 18 Sep 2010 05:32 On Sat, 2010-09-18 at 11:21 +0200, Peter Lind wrote: > On 17 September 2010 23:25, Jim Lucas <lists(a)cmsws.com> wrote: > > Catherine Madsen wrote: > >> Hi! > >> > >> I have created a form following the PHP manual to upload files and need > >> to restrict the upload to only PDF. How do I check the file type > >> ($_FILES['userfile']['type']?) and where: on the form page or on the > >> validation page? I want to be able to tell the users that their file > >> doesn't have the right format. Thank you very much for your help! > >> > > You need to use something like http://www.fpdf.org/ to try and > actually open the uploaded file - anyone can fake an extension. > > Regards > Peter > > -- > <hype> > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > BeWelcome/Couchsurfing: Fake51 > Twitter: http://twitter.com/kafe15 > </hype> > An exec() call to the 'file' command (assuming you're on a Linux server) should give you back the correct file type as well. I just tested mine with file-5.03 on a mis-named file and it correctly detected it. That's not to say a carefully crafted file couldn't trick it, but it might be good as a general checker where it would be a lot of hassle trying to check every single file type by opening it up. Thanks, Ash http://www.ashleysheridan.co.uk
From: Michael Shadle on 18 Sep 2010 05:46
There is a fileinfo module for php (and it's packaged in 5.3) http://www.php.net/manual/en/intro.fileinfo.phphttp://www.php.net/manual/en/intro.fileinfo.php However after trying to use "file" in a system call back in the day its great with graphics and some other stuff, but a large number of the video files came out with just a generic binary type. The site needed both pictures and videos to be validated; I had to relax the restriction because most of the video content couldn't be identified. I would say transcode it (if its videos) so its normalized and consistent with the rest of the site, and ffmpeg etc. will let you know if its not a valid type your server can support. YMMV with fileinfo or system("file") which I believe should give you the same results. Depends on what content you are handling! On Sep 18, 2010, at 2:32 AM, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote: > On Sat, 2010-09-18 at 11:21 +0200, Peter Lind wrote: > >> On 17 September 2010 23:25, Jim Lucas <lists(a)cmsws.com> wrote: >>> Catherine Madsen wrote: >>>> Hi! >>>> >>>> I have created a form following the PHP manual to upload files and need >>>> to restrict the upload to only PDF. How do I check the file type >>>> ($_FILES['userfile']['type']?) and where: on the form page or on the >>>> validation page? I want to be able to tell the users that their file >>>> doesn't have the right format. Thank you very much for your help! >>>> >> >> You need to use something like http://www.fpdf.org/ to try and >> actually open the uploaded file - anyone can fake an extension. >> >> Regards >> Peter >> >> -- >> <hype> >> WWW: http://plphp.dk / http://plind.dk >> LinkedIn: http://www.linkedin.com/in/plind >> BeWelcome/Couchsurfing: Fake51 >> Twitter: http://twitter.com/kafe15 >> </hype> >> > > > An exec() call to the 'file' command (assuming you're on a Linux server) > should give you back the correct file type as well. I just tested mine > with file-5.03 on a mis-named file and it correctly detected it. That's > not to say a carefully crafted file couldn't trick it, but it might be > good as a general checker where it would be a lot of hassle trying to > check every single file type by opening it up. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > |