CODEWITHSUNDEEP
php
user3017315
user3017315

Reputation: 91

Upload mp3, doc, ppt, sql, zip, tar, rar files

I want to give my users the freedom to upload all types of files in my online storage site. I only know how to upload image files such as these:

//other code   
 $_FILES["file"]["type"] == "image/jpeg"
 $_FILES["file"]["type"] == "image/jpg"
 $_FILES["file"]["type"] == "image/pjpeg"
 $_FILES["file"]["type"] == "image/x-png"
 $_FILES["file"]["type"] == "image/png"
//other code

using the ebove code I can upload the given extention files to my site. But I want to upload .mp3 .doc .ppt .docx . pptx .sql and many more possible files. To do that, what should I put in the "question mark" below: 

 $_FILES["file"]["type"] == ?          // for mp3
 $_FILES["file"]["type"] == ?          // for doc/docx
 $_FILES["file"]["type"] == ?          // for ppt/pptx 
 $_FILES["file"]["type"] == ?          // for sql
 $_FILES["file"]["type"] == ?          // for zip/tar/rar

please , tell me if there is any list of all extensions of file and what should I write to upload the asked files?

---Thanks.

Upvotes: 3

Views: 5960

Answers (2)

Havenard
Havenard

Reputation: 27854

The MIME Type provided in $_FILE['file']['type'] is a information given by the client side and can be falsified. Don't trust it. It can also vary from a machine to another, as you saw yourself there isn't a single MIME description to each extension, so it can be very frustrating to rely on it to take any kind of decision.

Someone can send you a music.php and say its a audio/mp3, save it in your website folder and you have just given them means to compromise your entire server. Don't do it.

Instead, use the file extension to determine it's type. You can also list all allowed extensions in an array and just check if the file extension exists in this array.

$allowed_extensions = array(
    'mp3', 'mp4', 'doc', 'zip', 'rar',
    'docx', 'ppt', 'pps', 'pptx' // ...
);
if (!in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $allowed_extensions))
    die("You can't upload this.");

Or, you can instead prohibit dangerous file extensions and allow everything else, what would be easier to do considering you want to allow "any type of file".

$disallowed_extensions = array('exe', 'scr', 'cpl', 'bat', 'php', 'htaccess');
if (in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $disallowed_extensions))
    die("You can't upload this.");

Careful with the file name too. The file name provided in $_FILES['file']['name'] should be just the file base name, but once again this information is provided by the user and can be including full or relative paths to make your script save it where it shouldn't. Always use basename($_FILES['file']['name']) to make sure you are using the file base name when saving the file.

Upvotes: 1

Justin
Justin

Reputation: 162

mp3 => ($_FILES["file"]["type"] == "audio/mp3")
pdf => ($_FILES["file"]["type"] == "application/pdf")
zip => ($_FILES["file"]["type"] == "application/zip")
|| ($_FILES["file"]["type"] == "application/x-zip-compressed")
|| ($_FILES["file"]["type"] == "multipart/x-zip")
|| ($_FILES["file"]["type"] == "application/x-compressed") // one of those depending on the zip file.
sql=> ($_FILES["file"]["type"] == "application/octet-stream")
ppt=> ($_FILES["file"]["type"] == "application/vnd.ms-powerpoint")
pptx=> ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.presentationml.presentation")

docx=> ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")

you will need to do some search on those to confirm these are exactly what you are looking for. i am sure it is everywhere.

Upvotes: 2

Related Questions