Hudzilla.org - the homepage of Paul Hudson
Contents > Files > Handling file uploads: move_uploaded_file() Wish List | Report Bug | About Me ]

8.10.1     Advanced file upload handling

This is NOT the latest copy of this book; click here for the latest version.

To make our upload system a little more advanced, let's take a look at adding a little more security to the system by checking the kind of file just uploaded. It would be great if we could rely on the 'type' information of uploaded files to tell us whether a file is to be accepted or not, but many browsers do not send MIME types with uploaded files. Instead, here is a simple bit of code that checks the extension of an uploaded file - you should recognise explode() already.

<?php
    $tmp = explode ( '.', $_FILES['userfile']['name']);
    $fileext = $tmp[count($tmp)-1];
 ?>

In line one, we split the name of the uploaded file into an array. As we specified a full stop (.) as the first parameter to explode, our array will normally be split into two elements - file name (e.g. 'mysql'), and file extension (e.g. 'rpm'). If our filename was 'php-5.0.0.tar.gz', our array would contain elements 'php-5', '0', '0', 'tar', 'gz'. count() is a new function that merely returns the number of elements in an array, and by subtracting one from it (remember PHP uses zero-based arrays), we find ourselves reading the last element in the array. With php-5.0.0.tar.gz, this would return "gz". With mysql.rpm, this would return "rpm".

Now we can read the extension of the file that was uploaded, let's compare it to a list of extensions we trust.

<?php
    $allowedexts = array("rpm", "gz", "tar", "bz2");
    if (in_array($fileext, $allowedexts)) {
        print "File is trusted.";
    } else {
        print "File not trusted!";
    }
 ?>

In the above code, we create an array of trusted file extensions, then, using in_array(), we compare our $fileext variable (which contains everything after the final full stop in the name of our uploaded text file) to the array of allowed extensions. Naturally, merely checking file extensions does not guarantee security, but every little helps.





<< 8.10 Handling file uploads: move_uploaded_file()   8.10.2 Checking uploaded files: is_uploaded_file() >>
Table of Contents
 Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.



My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
Top-right shadow
 
Bottom-left shadow Bottom shadow

Comments from other readers
Be the first to add a comment to this chapter!



Add comment
Please note that by posting a comment here you are committing it to the public domain. This is important so that others can make use of your code themselves, and also so that I can incorporate helpful notes directly into the main text. Comments are limited to 2000 characters in length.

If you are reporting an error in the content, please tell me directly.

Your name/email address:
Your comment:
 
Now, in order to verify that you're a real person, please answer this simple question: what is zero plus one?
The answer is:
(please write in
numbers, eg 19)


Top-right shadow
 
Bottom-left shadow Bottom shadow

This website and its content is copyright © Paul Hudson 2005, all rights reserved.