luigimia Posted December 28, 2011 Share Posted December 28, 2011 Hi. I'm making a file-sharing website but how do I stop users from uploading certain extensions? Here is my script so far: <?php session_start(); $file_name = $HTTP_POST_FILES['ufile']['name']; $random_digit=rand(0000,9999); $new_file_name=$random_digit.$file_name; $path= "upload/".$new_file_name; if($ufile !=none) { if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path)) { echo "Successful<BR/>"; } else { echo "Error"; } } ?> Quote Link to comment Share on other sites More sharing options...
litebearer Posted December 28, 2011 Share Posted December 28, 2011 This tutorial may help http://php.about.com/od/advancedphp/ss/php_file_upload.htm Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted December 28, 2011 Share Posted December 28, 2011 you will want to the compare the mime of the file to the $_FILES[filename][type] value. I like to store the valid extensions in an array and compare the array of values to the mime type of the given file using a conditional statement. Quote Link to comment Share on other sites More sharing options...
luigimia Posted December 29, 2011 Author Share Posted December 29, 2011 you will want to the compare the mime of the file to the $_FILES[filename][type] value. I like to store the valid extensions in an array and compare the array of values to the mime type of the given file using a conditional statement. May you explain how to do that? Quote Link to comment Share on other sites More sharing options...
luigimia Posted December 29, 2011 Author Share Posted December 29, 2011 I can't get this to work? <?php $target = "upload/"; $target = $target . basename( $_FILES['uploaded']['name']) ; $ok=1; if ($uploaded_size > 350000) { echo "Your file is too large.<br>"; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/php”) { echo “No PHP files”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/cgi”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/html”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/asp”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/pl”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/gif”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/jpg”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/png”) { echo “Not an approved file type.”; $ok=0; } if (isset($uploaded_type) && $uploaded_type ==”text/tif”) { echo “Not an approved file type.”; $ok=0; } if ($ok==0) { Echo “Sorry your file was not uploaded”; } else { if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) { echo “The file “. basename( $_FILES['uploaded']['name']). ” has been uploaded”; } else { echo “Sorry, there was a problem uploading your file.”; } } ?> Quote Link to comment Share on other sites More sharing options...
AyKay47 Posted December 29, 2011 Share Posted December 29, 2011 95% of your mime types listed are not valid mime types, perhaps this and this will help Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted December 29, 2011 Share Posted December 29, 2011 Try something like this, add any allowed mime types in the allowed array. I also see the wrong type quotes in your code, try using an editor that does not convert quotes, notepad2 works great. The proper double quote is ", not “ or ” <html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php if(isset($_POST['submit']) && !empty($_POST['submit'])) { $allowed_array = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp"); if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; } else { if(in_array($_FILES["file"]["type"],$allowed_array)){ echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; echo "Stored in: " . $_FILES["file"]["tmp_name"]; } else { echo $_FILES["file"]["type"] . " not allowed"; } } } else { echo "Select your file to upload."; } ?> Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted December 29, 2011 Share Posted December 29, 2011 Some changes to the previous code, also added checking for extensions within the allowed mime types. <html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) { $allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp"); $allowed_extensions = array("gif","png","jpg","bmp"); if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; } else { $path_parts = pathinfo(strtolower($_FILES["file"]["name"])); if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){ echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; $path_parts = pathinfo($_FILES["file"]["name"]); echo "Extension: " . $path_parts["extension"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; echo "Stored in: " . $_FILES["file"]["tmp_name"]; } else { echo "Type " . $_FILES["file"]["type"] . " with extension " . $path_parts["extension"] . " not allowed"; } } } else { echo "Select your file to upload."; } ?> Quote Link to comment Share on other sites More sharing options...
luigimia Posted December 29, 2011 Author Share Posted December 29, 2011 Some changes to the previous code, also added checking for extensions within the allowed mime types. <html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) { $allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp"); $allowed_extensions = array("gif","png","jpg","bmp"); if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; } else { $path_parts = pathinfo(strtolower($_FILES["file"]["name"])); if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){ echo "Upload: " . $_FILES["file"]["name"] . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; $path_parts = pathinfo($_FILES["file"]["name"]); echo "Extension: " . $path_parts["extension"] . "<br />"; echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; echo "Stored in: " . $_FILES["file"]["tmp_name"]; } else { echo "Type " . $_FILES["file"]["type"] . " with extension " . $path_parts["extension"] . " not allowed"; } } } else { echo "Select your file to upload."; } ?> Thanks! Quick question though, where do I put your script in proportion to the original? I tried mingling it in but must have put it in the wrong place because some times I got it being treated as two different scripts and sometimes being presented with an error? Where do I put the original? Thanks! Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted December 29, 2011 Share Posted December 29, 2011 There seems to be items missing from that tutorial. Don't foget to have a folder named upload in the same directory as this script is, or change your target path. pretty sure I added the essentials to this, also included a timestamp to the front of the file name so you don't have duplicate named files. <html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) { $timestamp = time(); $target = "upload/"; $target = $target . basename($_FILES['uploaded']['name']) ; $ok=1; $allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp"); $allowed_extensions = array("gif","png","jpg","bmp"); if ($_FILES['file']['size'] > 350000) { $max_size = round(350000 / 1024); echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; $ok=0; } if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; $ok=0; } else { $path_parts = pathinfo(strtolower($_FILES["file"]["name"])); if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){ $filename = $timestamp."-".$_FILES["file"]["name"]; echo "Name: " . $filename . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; $path_parts = pathinfo($_FILES["file"]["name"]); echo "Extension: " . $path_parts["extension"] . "<br />"; echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />"; //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />"; } else { echo "Type " . $_FILES["file"]["type"] . " with extension " . $path_parts["extension"] . " not allowed <br />"; $ok=0; } } if($ok == 1){ @move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename); $file_location = $target . $filename; if(file_exists($file_location)){ echo "Uploaded to <a href='$file_location'>$filename</a> <br />"; } else { echo "There was a problem saving the file. <br />"; } } } else { echo "Select your file to upload."; } ?> You can use the file types with if/else or a switch statement and display a resized image if was an image, a link if was a file, an embed if audio or video, etc.... I just made it a hyperlink for simplicity. Quote Link to comment Share on other sites More sharing options...
luigimia Posted December 29, 2011 Author Share Posted December 29, 2011 There seems to be items missing from that tutorial. Don't foget to have a folder named upload in the same directory as this script is, or change your target path. pretty sure I added the essentials to this, also included a timestamp to the front of the file name so you don't have duplicate named files. <html> <body> <form action="" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file" /> <br /> <input type="submit" name="submit" value="Submit" /> </form> </body> </html> <?php if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) { $timestamp = time(); $target = "upload/"; $target = $target . basename($_FILES['uploaded']['name']) ; $ok=1; $allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp"); $allowed_extensions = array("gif","png","jpg","bmp"); if ($_FILES['file']['size'] > 350000) { $max_size = round(350000 / 1024); echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; $ok=0; } if ($_FILES["file"]["error"] > 0) { echo "Error: " . $_FILES["file"]["error"] . "<br />"; $ok=0; } else { $path_parts = pathinfo(strtolower($_FILES["file"]["name"])); if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){ $filename = $timestamp."-".$_FILES["file"]["name"]; echo "Name: " . $filename . "<br />"; echo "Type: " . $_FILES["file"]["type"] . "<br />"; $path_parts = pathinfo($_FILES["file"]["name"]); echo "Extension: " . $path_parts["extension"] . "<br />"; echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />"; //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />"; } else { echo "Type " . $_FILES["file"]["type"] . " with extension " . $path_parts["extension"] . " not allowed <br />"; $ok=0; } } if($ok == 1){ @move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename); $file_location = $target . $filename; if(file_exists($file_location)){ echo "Uploaded to <a href='$file_location'>$filename</a> <br />"; } else { echo "There was a problem saving the file. <br />"; } } } else { echo "Select your file to upload."; } ?> You can use the file types with if/else or a switch statement and display a resized image if was an image, a link if was a file, an embed if audio or video, etc.... I just made it a hyperlink for simplicity. You are a life saver. Thank you very very very much. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.