CODEWITHSUNDEEP
phpfile-uploadfile-type
AshotN
AshotN

Reputation: 413

PHP File Type Restrictions

I am trying out PHP my first actual script, most of it from tutorial :( Anyway's

I am having a problem on this part

// This is our limit file type condition
if (!($uploaded_type=="text/java")||!($uploaded_type=="file/class")||!($uploaded_type=="file/jar")) {
echo "You may only upload Java files.<br>";

$ok=0;
}

Basically it doesn't allow any files, even those up there help! I want the Java files to be allowed only!

EDIT: Here is the full code 

<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$uploaded = basename( $_FILES['uploaded']['name']) ;
$ok=1;

//This is our size condition
if ($uploaded_size > 350000) {
    echo "Your file is too large.<br>";
    $ok=0;
}

// This is our limit file type condition
if (!($uploaded_type=="text/java")||!($uploaded_type=="file/class")||! ($uploaded_type=="file/jar")) {
    echo "You may only upload Java files.<br>";
    $ok=0;
}

echo $ok;  //Here we check that $ok was not set to 0 by an error
if ($ok==0) {
    echo "Sorry your file was not uploaded";
}else {
    if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) {
        echo "The file ". $uploaded ." has been uploaded";
    } else {
        echo "Sorry, there was a problem uploading your file.";
    }
}
?>

Upvotes: 1

Views: 1366

Answers (4)

LF-DevJourney
LF-DevJourney

Reputation: 28529

For client file format limit, refer to this Limit file format when using ?

<input type="file" accept="image/*" /> <!-- all image types --> 
<input type="file" accept="audio/*" /> <!-- all audio types -->

For server, you can filter the uploaded file by this,

if(in_array(mime_type($file_path),$allowed_mime_types)){
    // save the file
}

$allowed_mime_types = array(
        'image/jpeg',
        'image/jpg',
        'image/png',
        'image/gif',
        'video/mp4'
);


/*
For PHP>=5.3.0, you can use php's `finfo_file`([finfo_file](https://www.php.net/manual/en/function.finfo-file.php)) function to get the file infomation about the file.

For PHP<5.3.0, you can use your's system's `file` command to get the file information.
*/
function mime_type($file_path)
{
    if (function_exists('finfo_open')) {            
        $finfo = new finfo(FILEINFO_MIME_TYPE, null);
        $mime_type = $finfo->file($file_path);
    }
    if (!$mime_type && function_exists('passthru') && function_exists('escapeshellarg')) {
        ob_start();
        passthru(sprintf('file -b --mime %s 2>/dev/null', escapeshellarg($file_path)), $return);
        if ($return > 0) {
            ob_end_clean();
            $mime_type = null;
        }
        $type = trim(ob_get_clean());
        if (!preg_match('#^([a-z0-9\-]+/[a-z0-9\-\.]+)#i', $type, $match)) {
            $mime_type = null;
        }
        $mime_type = $match[1];
    }
    return $mime_type;
}

Upvotes: 0

middus
middus

Reputation: 9121

You can make this more flexible using in_array():

$allowed_types = array("text/java", "file/class", "file/jar");
if(!in_array($uploaded_type, $allowed_types)) {
  echo "You're not allowed to upload this kind of file.<br />";
  $ok = 0;
}

This makes it very easy to allow more file types later on. If you want to allow "text/html", you just need to add it to the array and do not need to create so many checks. You could even store the allowed types in a config file or a table in a database and create the array $allowed_types dynamically.

Upvotes: 0

mario
mario

Reputation: 145472

Only one of your three conditions could possibly be true, so that you end up with:

if (!false || !false || !true)

Which becomes:

if (true   || true   || false)

So you should either use an && in place of the OR, or use a nicer function to check for multiple things from a set:

if (!in_array($uploaded_type, array("text/java", "file/class","file/jar")) {

So the if will succeed if neither of the allowed values is found.

Upvotes: 0

Marc B
Marc B

Reputation: 360562

You're using an OR... that means the whole statement evaluates as TRUE if ANY of its member arguments are true. Since a file can only be of one type, you're excluding ALL files. What you want is an 'and' match:

if (!($uploaded_type == 'text/java') && !($uploaded_type == ....)) {
                                     ^^---boolean and

Pretending that we're working with a file/class file type, then you version reads:

if the (file is not text/java) OR the (file is not file/class) OR the (file is not file/jar)
              TRUE                           FALSE                          TRUE

TRUE or FALSE or TRUE -> TRUE

Switchign to AND gives you

TRUE and FALSE and TRUE -> FALSE

Upvotes: 2

Related Questions