#1
  1. No Profile Picture
    jay-biz
    Guest
    Devshed Newbie (0 - 499 posts)
    Hi!

    I have two questions. First, how can I control what files a user uploads? I can, of course, check the extensions but they can't always be trusted. Can I check the mime-types somehow?

    Second, is there a way I can set the "available formats" in the file upload dialog box?

    Regards,



    ------------------
    .jonas
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2011
    Posts
    1
    Rep Power
    0
    first question: here is some basic code that checks if the file uploaded is a jpeg, should be easy enough to follow.

    Code:
    <form enctype='multipart/form-data' action="#" method="post">
        <input type="file" name="uploaded" />
        <input type="submit" name="upload" value="Upload" />
    </form> 
    <?php 
        if ($_FILES['uploaded']['type'] == 'image/jpeg') {
            exit('Allowed'); 
        } else { 
            exit('Denied!'); 
        } 
    ?>
    as for the second one you could just create an array of file types supported and use it for checking the uploaded file, and to create a "supported file types" list on the form, I hope that helped, if you have any other questions feel free to ask.
  4. #3
  5. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Welcome to the forums Wizard.

    You have revived a thread that is so old the forum software is malfunctioning trying to display the OP's information. The Matrix came out AFTER this question was asked. I think he found the answer.

    Please limit your activity to the first page of the forum listings to avoid something like this.

    Thread Closed.

    -Dan
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  6. #4
  7. Jealous Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,302
    Rep Power
    9400
    Since the damage has been done I'm going to answer this anyways. Naturally these answers are appropriate for stuff happening THIS DECADE, so don't go back in time and use my advice. Besides, if you could go back in time, why the hell would you be spending your time dealing with HTML forms? Go win the damn lottery.


    1. You can't control what files the user sends to your server. You can control which files you actually accept and store for later (which should be obvious because it's your own code that's doing the accepting and storing).

    2. Extensions can be changed easily, but most web servers will serve files according to extension - or at least use the extension to resolve ambiguities. If you want .jpg files and someone uploads a PHP script renamed to .jpg then worst case it'll just be treated as a (corrupt) image. Best case is the script contains actual JPEG data and you'll see that.
    However the reverse would be harmful: since JPEG images can contain arbitrary comments, if an image was renamed as .php then it could execute harmful code.

    3. The MIME type, as contained within $_FILES, is provided by the browser. Not by PHP. That means it is insecure and cannot be trusted. If you want the type (which is a good idea for handling generic file uploads) then determine it yourself.

    4. The <input type=file> element does support a set of allowed MIME types for uploading, but (a) it's not implemented on, like, any browser, and (b) you couldn't trust it to restrict files.
    Last edited by requinix; November 11th, 2011 at 12:34 PM.

Similar Threads

  1. Replies: 1
    Last Post: February 8th, 2004, 02:59 PM
  2. PHP file upload script trouble
    By casbboy in forum PHP Development
    Replies: 9
    Last Post: February 5th, 2004, 08:42 PM
  3. file upload problem
    By user# 63632 in forum PHP Development
    Replies: 4
    Last Post: February 1st, 2004, 01:41 AM
  4. php-sql file upload and download
    By mthroesch in forum PHP Development
    Replies: 0
    Last Post: January 28th, 2004, 02:56 AM
  5. determining file types
    By jaccinc in forum PHP Development
    Replies: 1
    Last Post: January 22nd, 2004, 09:58 AM

IMN logo majestic logo threadwatch logo seochat tools logo