Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Mar 2012
    Posts
    91
    Thanks
    2
    Thanked 0 Times in 0 Posts

    how do you allow only indicated file type

    Hi All,

    I am using a form which sends more than one file input field to the php code below. It functions fine and counts the number of input upload fields and how many used and so on. The php cycles through the fields and counts as it goes then ends echoing a report of what it did. As I said all that is fine.

    However, the code will accept any file form type you happen to select from the 'Browse', with any extension such as .jpg, .txt, .php, ,html, .png and so on and I want to restrict what is accepted by the php code.

    Is there something that I can add which detects if the incoming file extension is a .txt or a .php and allow those but reject anything not in an allowed list.

    I have left the code in it's working state in hope someone can indicate what additional code is required and where it is possible to introduce such a filter.


    Code:
    <?php
    $number_of_file_fields = 0;
    $number_of_uploaded_files = 0;
    $number_of_moved_files = 0;
    $uploaded_files = array();
    $upload_directory = $_POST['puthere'];
    $vertical = '<br/>';
    if ($_POST['puthere'] != '')
    {
    if ($_POST['Username'] == "xxxx" && $_POST['password'] == "yyy")
    {
    for ($i = 0; $i < count($_FILES['file']['name']); $i++) {
    $number_of_file_fields++;
    if ($_FILES['file']['name'][$i] != '') { //check for empty input and forget it
    $number_of_uploaded_files++;
    $uploaded_files[] = $_FILES['file']['name'][$i];
    if (move_uploaded_file($_FILES['file']['tmp_name'][$i], $upload_directory . $_FILES['file']['name'][$i])) {
    $number_of_moved_files++;
    }
    }
    }
    echo "Number of File fields created $number_of_file_fields.<br/> ";
    echo "Number of files submitted $number_of_uploaded_files . <br/>";
    echo "Number of successfully moved files $number_of_moved_files . <br/>";
    echo "File Names are <br/>" . implode($vertical, $uploaded_files);
    }
    else
    {
    echo "An invalid file.";
    }
    }
    else
    {
    echo "Invalid.";
    }
    ?>

    Martin.

  • #2
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,999
    Thanks
    15
    Thanked 234 Times in 234 Posts
    Do a print_r($_FILES); and you will see part of the answer, you have $_FILES['type'] to check against. But the really smart thing to do is use something that will read the file header to see what the real type is.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #3
    New Coder
    Join Date
    Mar 2012
    Posts
    91
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Hi,

    Well, if there is a way to set up a filter for this multi-input browse field form it is beyond me.

    I have tried many filter code ideas from the net and a few of my own such as if(preg_match("/\.(jpg|jpeg|gif)$/i", $uploaded_files)) to allow just the indicated file extensions and this one below from the w3c site works so long as the main body of the upload php is only processing ONE browse input field, if there is more then one the it all fails.

    In my original question I mentioned .txt files but as the below was set up for images that is what I played with. If it had worked with images it would be simple to switch it over to work with .txt files.

    Code:
    $allowedExts = array("gif", "jpeg", "jpg", "png");
    $temp = explode(".", $_FILES["file"]["name"]);
    $extension = end($temp);
    if ((($_FILES["file"]["type"] == "image/gif")
    || ($_FILES["file"]["type"] == "image/jpeg")
    || ($_FILES["file"]["type"] == "image/jpg")
    || ($_FILES["file"]["type"] == "image/pjpeg")
    || ($_FILES["file"]["type"] == "image/x-png")
    || ($_FILES["file"]["type"] == "image/png"))
    && ($_FILES["file"]["size"] < 20000)
    && in_array($extension, $allowedExts))
    I have tried the above in just about every position (recommended or otherwise, except the correct position of course) in the lower main file, without success.

    If anyone can show a working solution it would be nice to know.

    Code:
    <?php
    $number_of_file_fields = 0;
    $number_of_uploaded_files = 0;
    $number_of_moved_files = 0;
    $uploaded_files = array();
    $upload_directory = $_POST['puthere'];
    $vertical = '<br/>';
    if ($_POST['puthere'] != '')
    {
    if ($_POST['Username'] == "xxxx" && $_POST['password'] == "yyy")
    {
    for ($i = 0; $i < count($_FILES['file']['name']); $i++) {
    $number_of_file_fields++;
    if ($_FILES['file']['name'][$i] != '') { 
    $number_of_uploaded_files++;
    $uploaded_files[] = $_FILES['file']['name'][$i];
    if (move_uploaded_file($_FILES['file']['tmp_name'][$i], $upload_directory . $_FILES['file']['name'][$i])) {
    $number_of_moved_files++;
    }
    }
    }
    echo "Number of File fields created $number_of_file_fields.<br/> ";
    echo "Number of files submitted $number_of_uploaded_files . <br/>";
    echo "Number of successfully moved files $number_of_moved_files . <br/>";
    echo "File Names are <br/>" . implode($vertical, $uploaded_files);
    }
    else
    {
    echo "An invalid file.";
    }
    }
    else
    {
    echo "Invalid.";
    }
    ?>

    Martin.

  • #4
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,999
    Thanks
    15
    Thanked 234 Times in 234 Posts
    I work with images myself and should be using a filter of that sort on my upload page, so I'll just write one. But I can tell you that you are doing it the hard way, and not getting the right results. Be back when I've written it. I'm going to be writing an upload script anyway, so that would be a nice addition.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #5
    New Coder
    Join Date
    Mar 2012
    Posts
    91
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Hi DrDOS,

    Thank you for the offer to write some code which could do as I indicated, it is always nice to have more than one way to do something.

    In the meantime I finally realised why my preg_match idea to detect the .txt file extension failed to work.

    The match was not looping along with the general code when it checked the various browse input fields. I have made a correction shown below and also introduced a check for type.

    This may not be an elegant way but it works and does what was intended. I am sure it could be expanded upon to include other file extensions and types.

    I would not say this is perfect and it was never intended to stop those faking a .txt file which actually contained executable code, this was intended for honest incorrect selection of a file to be uploaded.

    Code:
    <?php
    $number_of_file_fields = 0;
    $number_of_uploaded_files = 0;
    $number_of_moved_files = 0;
    $uploaded_files = array();
    $upload_directory = $_POST['puthere'];
    $vertical = '<br/>';
    if ($_POST['puthere'] != '')
    {
    if ($_POST['Username'] == "xxxx" && $_POST['Password'] == "yyy")
    {
    for ($i = 0; $i < count($_FILES['textfile']['name']); $i++) {
    $number_of_file_fields++;
    if ($_FILES['textfile']['name'][$i] != '' && preg_match('/\\.(txt)$/i', $_FILES['textfile']['name'][$i]) && $_FILES["textfile"]["type"][$i] == "text/plain") { 
    $number_of_uploaded_files++;
    $uploaded_files[] = $_FILES['textfile']['name'][$i];
    if (move_uploaded_file($_FILES['textfile']['tmp_name'][$i], $upload_directory . $_FILES['textfile']['name'][$i])) {
    $number_of_moved_files++;
    }
    }
    }
    echo "Number of File fields created $number_of_file_fields.<br/> ";
    echo "Number of files submitted $number_of_uploaded_files . <br/>";
    echo "Number of successfully moved files $number_of_moved_files . <br/>";
    echo "File Names are: <br/>" . implode($vertical, $uploaded_files);
    }
    else
    {
    echo "An invalid file.";
    }
    }
    else
    {
    echo "Invalid.";
    }
    ?>

    For those wanting to test the code above and comment, here is a type of form that shows the multi-browse fields the php code processes.

    Code:
    <form name="uploadFile" id="uploadFile" action="theprocesscodeonhost.php" method="post" enctype="multipart/form-data">
    Final directory address: <input name="puthere" id="puthere" value="" size="40"><BR>
    User Name: <input name="Username" id="Username" value="" size="40"><BR>
    Password: <input name="Password" id="Password" value="" size="40"><BR>
    <div id="display_browse" value="" style="overflow: auto;">
    <input name="textfile[]" type="file" id="textfilefield" value="" size="50"><BR>
    <input name="textfile[]" type="file" id="textfilefield" value="" size="50"><BR>
    <input name="textfile[]" type="file" id="textfilefield" value="" size="50"><BR>
    <input name="textfile[]" type="file" id="textfilefield" value="" size="50">
    </div>
    </form>

    Martin.
    Last edited by SpidersWebHelp; 08-28-2013 at 12:10 PM. Reason: added a form

  • #6
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,999
    Thanks
    15
    Thanked 234 Times in 234 Posts
    I'm still in the process of writing the code, but the part that is relevant to you is already done and tested.
    PHP Code:
    for($i=0;$i<$cnt;$i++)
        {
        
    $out getimagesize($f['tmp_name'][$i]);
        
    //print_r($out);
        
    if($out['mime']=='image/jpeg' && $f['type'][$i]=='image/jpeg')
        {
        
    $tname =  $f_name.'~'.($i+$n).'.jpeg';
        
    move_uploaded_file($f['tmp_name'][$i] , './Uploads/'.$tname);
        `
    convert './Uploads/''$tname' -resize $t_size  './''$tname'`;
        }
        } 
    The if statement checks the mime type two ways, and the $out part is a read of the file header, so no one can pass off a png or txt file as a jpg. However a broader test is the use in_array() to test for several allowed mime types and exclude others. I'll add that later on.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •