gatzkerob Posted May 27, 2011 Share Posted May 27, 2011 <?php // Maximum file size for upload $maxFileSize = 5242880; // If file is too large if(!empty($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxFileSize) echo "File too large"; else { if(isset($_POST['submit'])) { // List of acceptable file types $whitelist = array( "application/vnd.openxmlformats-officedocument.wordprocessingml.document", // .docx "application/msword", // .doc, .rtf "text/plain", "image/jpeg", "image/gif", "image/png", "application/pdf", "application/octet-stream", // .rar "application/x-zip" // .zip ); // Is uploaded file type in whitelist array if(!in_array($_FILES['file_upload']['type'], $whitelist)) exit("Bad Filetype"); // Don't allow php files if(preg_match("/\.php.*$/i", $_FILES['file_upload']['name'])) exit("We do not allow uploading PHP files\n"); // Move the file $uploaddir = '../uploads/'; $uploadfile = $uploaddir . "[" . time(). "]." . basename($_FILES['file_upload']['name']); if (move_uploaded_file($_FILES['file_upload']['tmp_name'], $uploadfile)) exit("File is valid, and was successfully uploaded.\n"); else exit("File uploading failed.\n"); } } ?> <html> <head> <title>Upload Test</title> </head> <body> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $maxFileSize; ?>" /> <input type="file" name="file_upload" /> <input type="submit" name="submit" value="upload" /> <br /> <?php echo "(Max: " . number_format($maxFileSize/1048576,0) . " MB)" ?> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
fugix Posted May 27, 2011 Share Posted May 27, 2011 the one thing that i notice is your use of php_self as you form action....this should normally be avoided..here is why Quote Link to comment Share on other sites More sharing options...
gatzkerob Posted May 27, 2011 Author Share Posted May 27, 2011 the one thing that i notice is your use of $_php_self as you form action....this should normally be avoided..here is why I didn't know that. I'll probably be removing it anyway as I plan on using this form with AJAX later on. Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted May 27, 2011 Share Posted May 27, 2011 You may want to use a more graceful technique for stopping your script rather than exiting mid execution. Also, MIME types are browser dependent I believe, meaning that not all browsers send the same MIME type for the same file type (although this may have changed with new versions of browsers. Its been a while since i've made an upload script). Also MIME types can be spoofed. You may want to also check the extension as well as the MIME type Quote Link to comment Share on other sites More sharing options...
gatzkerob Posted May 27, 2011 Author Share Posted May 27, 2011 You may want to use a more graceful technique for stopping your script rather than exiting mid execution. Also, MIME types are browser dependent I believe, meaning that not all browsers send the same MIME type for the same file type (although this may have changed with new versions of browsers. Its been a while since i've made an upload script). Also MIME types can be spoofed. You may want to also check the extension as well as the MIME type Yea, I was unsure about exit(), I'll just nest everything in if() statements instead. Should I replace the MIME types with a file extension whitelist instead? I know file extensions can also be faked. Is MIME type really that important? Thanks for the feedback. Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted May 27, 2011 Share Posted May 27, 2011 Well checking MIME types and file extensions isn't a mutually exclusive process. You could easily check both. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.