File upload handling (file types etc.)

Hi!

I have two questions. First, how can I control what files a user uploads? I can, of course, check the extensions but they can't always be trusted. Can I check the mime-types somehow?

Second, is there a way I can set the "available formats" in the file upload dialog box?

Regards,



------------------
.jonas

first question: here is some basic code that checks if the file uploaded is a jpeg, should be easy enough to follow.


as for the second one you could just create an array of file types supported and use it for checking the uploaded file, and to create a "supported file types" list on the form, I hope that helped, if you have any other questions feel free to ask.

Welcome to the forums Wizard.

You have revived a thread that is so old the forum software is malfunctioning trying to display the OP's information. The Matrix came out AFTER this question was asked. I think he found the answer.

Please limit your activity to the first page of the forum listings to avoid something like this.

Thread Closed.

-Dan

Since the damage has been done I'm going to answer this anyways. Naturally these answers are appropriate for stuff happening THIS DECADE, so don't go back in time and use my advice. Besides, if you could go back in time, why the hell would you be spending your time dealing with HTML forms? Go win the damn lottery.


1. You can't control what files the user sends to your server. You can control which files you actually accept and store for later (which should be obvious because it's your own code that's doing the accepting and storing).

2. Extensions can be changed easily, but most web servers will serve files according to extension - or at least use the extension to resolve ambiguities. If you want .jpg files and someone uploads a PHP script renamed to .jpg then worst case it'll just be treated as a (corrupt) image. Best case is the script contains actual JPEG data and you'll see that.
However the reverse would be harmful: since JPEG images can contain arbitrary comments, if an image was renamed as .php then it could execute harmful code.

3. The MIME type, as contained within $_FILES, is provided by the browser. Not by PHP. That means it is insecure and cannot be trusted. If you want the type (which is a good idea for handling generic file uploads) then determine it yourself.

4. The <input type=file> element does support a set of allowed MIME types for uploading, but (a) it's not implemented on, like, any browser, and (b) you couldn't trust it to restrict files.