CODEWITHSUNDEEP
phpsecuritypdfuploadfile-rename
David Cook
David Cook

Reputation: 23

PDF Uploader script

I have spent 3 days reading and doing tutorials about PHP upload scripts for uploading PDF files to a website, renaming and moving the files. I can't seem to find a consistent answer on how to format the script. From my reading I see the following as important to this process. I have not found a good working answer to the PDF upload issue.

  1. It is important to validate the PDF files with a server side mime verification.
  2. Clamscan is important to keep the site clean. Should this be done immediately after upload?
  3. Files should not be accessible until they are verified by type and virus free. My understanding is that this is best done by the "rename" function of PHP that will allow a move and rename.

  4. I had considered uploading PDFs into my MySql database, but after reading much of the online advice, I now feel that this may not be the best for my site.

  5. I will be having clients upload pdfs via a html form.

Here is the form I was using:

    <form action ="PHP UPLOAD.php" method="post" encrypte="multipart/form-data">
    File: <input type="file" name="file" size="30"> <input type="submit" value="upload!">
    </form>

This is the PHP I started with from an online tutorial.

<?php

$uploaddir = "cover";
$allowed_ext = "pdf";
$max_size = "5000000";
//$max_height = "";
//$max_width = "";

$extension = pathinfo($_FILES['file'] ['name']);
$extension = $extension[extension];
$allowed_paths = explode(", ", $allowed_ext);
for($i = 0; $i < count($allowed_paths); $i++) {
if ($allowed_paths [$i] == "$extension") {
    $ok = "1";
}
}


if ($ok == "1")  {
    if($_FILES['file']['size'] > $max_size)
    {
        print "File is too big!";
        exit;
    }

// Include for images
//if ($max_width && $max_height) {
//list ($width, $height, $type, $w) =
//getimagesize($_FILES['file']['tmp_name']);
//if ($width . $max_width || $height > $max_height)
//{
//print "File height and/or width are too big!";
//exit;
//}
//}

if(is_uploaded_file($_FILES['file']['tmp_name']))
{
move_uploaded_file($_FILES['file']['tmp_name'],$uploaddir.'/'.$_FILES['file']['name']);
}
print "Your Cover Letter has been successfully uploaded!";
} else {
print "Incorrect file extension!";
}

?>

It returned an Invalid File Type message to me.

I found this code and it seems to be a better verification via Mime Type, but appears to be not complete.

$allowedExts = array(
  "pdf", 
  "doc", 
  "docx"
); 

$allowedMimeTypes = array( 
  'application/msword',
  'text/pdf',
  'image/gif',
  'image/jpeg',
  'image/png'
);

$extension = end(explode(".", $_FILES["file"]["name"]));

if ( 20000 < $_FILES["file"]["size"]  ) {
  die( 'Please provide a smaller file [E/1].' );
}

if ( ! ( in_array($extension, $allowedExts ) ) ) {
  die( 'Please provide another file type [E/2]. );
}

if ( in_array( $_FILES["file"]["type"], $allowedMimeTypes ) ) 
{      
 move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]); 
}
else
{
die( 'Please provide another file type [E/3]. );
}

I am trying to learn, but I don't seem to be able to find a very clear path that solves my issues. Can someone give me some clear answers as to what is special about PDF uploads and this process?

For Background, I am building this on my MAC using MAMP and Dreamweaver & Text Wrangler. I will be implementing this to a GoDAddy site. So, if you know issues that I will be facing I would appreciate a heads up.

Thanks in Advance!

Upvotes: 2

Views: 9787

Answers (2)

user2631215
user2631215

Reputation: 91

Hi the second code that does verification via Mime Type, but appears to be not complete works this way.

$allowedExts = array(
  "pdf", 
  "doc", 
  "docx"
); 

$allowedMimeTypes = array( 
  'application/msword',
  'application/pdf',
  'text/pdf',
  'image/gif',
  'image/jpeg',
  'image/png'
);

$nameexploded = explode(".", $_FILES["file"]["name"]);
$extension = end($nameexploded);

if ( 9000000 < $_FILES["file"]["size"]  ) {
  die( 'Please provide a smaller file [E/1].' );
}

if ( ! ( in_array($extension, $allowedExts ) ) ) {
  die( 'Please provide another file type [E/2].' );
}

if ( in_array( $_FILES["file"]["type"], $allowedMimeTypes ) ) 
{      
 move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]); 
}
else
{
    die( 'Please provide another file type [E/3].' );
}

I use $nameexploded to avoid: Notice: Only variables should be passed by reference in filepath\test.php on line 16.

This works great for me. Hope helps someone.

Upvotes: 0

arun
arun

Reputation: 3677

i think the error message is because of you miss typed enctype as encrypte, please check this also

<form action ="PHP_UPLOAD.php" method="post" enctype="multipart/form-data">
File: 
<input type="file" name="file" size="30"> 
<input type="submit" value="upload!">
</form>

Upvotes: 4

Related Questions