PHP File Upload Tutorial – Limit file extensions too!



VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

19 thoughts on “PHP File Upload Tutorial – Limit file extensions too!

  1. liviu811

    what screen capture software you used?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  2. W3Hut

    @moro116 Um….. English…

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  3. moro116

    lol. what language is he speakin’?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  4. W3Hut

    @FeedMEBabies You could use an array, but it depends on wether or not the function is checking for case sensative strings or not. There probably is a way to write less code but atleast this way you know it’s checking both cases.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  5. FeedMEBabies

    is there a wildcard symbol? couldn’t you put that on jpg so it recognizes it in caps and lowercse?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  6. artistdream11

    Hello ! I am having problem in executing this code, Please can anybody share this code. I will be very thankful to you all.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  7. artistdream11

    Hello ! Please I need this code . I am having problem in executing that code. I will be very thankful to you for sharing that code too. Please do the need as soon as you can.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  8. JordiFun

    If you read again you see i was talking about a combination of those two (extension and mime type). While showing your file via another PHP script, you can force it to a mimme type via the headers.

    And? still, checking the string is NOT 100% safe. Just again: Read about the (%00) null byte. Other security issues are also occurring while using the ‘string extension only check’.

    //Deleted and reposted; type mistake.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  9. W3Hut

    @JordiFun Usually I would work on the last piece of the array but to simplify this I chose to use the second piece I see the danger in this and our right to think so,

    However this is one of the MOST secure ways of limiting the file extension. However you can provide a more secure way using a combination of all of the methods.

    And in fact the most insecure way of checking the file extension is using the MIME type as you an easily fool PHP into believing you are using an allowed extension.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  10. JordiFun

    Well, you’d think it’s going that way. And i thought the same way before i read an security blog post somewhere talking about exploits in upload scripts. It had something todo with using %00 in the file name. With that thing you were able to ‘trick’ an upload script by telling its als .jpg, but that file simply contained PHP. I never tried it, but i assume it’s possible.

    Just googled it (Its a dutch website) and the %00 characters have the value of NULL. So PHP may cut it off the string.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  11. Martyj2009

    @JordiFun Well if the file says it’s a jpg it cannot be executed as anything but a jpg. If you rename a .exe to a .jpg on your pc it will try to open in a photo program.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  12. JordiFun

    True, but since security is more an more important i don’t think that a file extension check only is not safe enough. I’d use the extension and mime type and combine those two.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  13. Martyj2009

    @JordiFun You could aos do $MyArray[count($MyArray) – 1] and that will get the last element.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  14. JordiFun

    Well, what he’s doing is really unsafe!

    What if i call my file: exploit.jpg.php ?? jpg will still be the second array element (at position 1). So, if you want a safe upload scripts, don’t use this one.

    TIPS:
    – Use ‘in_array’ to check your extension. Make an array with $allowed+extension = Array() and check your file extention.
    – You don’t have to lower and uppercase check your extension. Just use ‘strtolower’ (or upper, just what you want.)
    Well, to much others things can be improved…

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  15. banule

    i cant find the files anywhere… i av checked byteforums. it is under what?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  16. moussaemad

    This is what I was thinking about as well…

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  17. W3Hut

    You would have to include a mysql statement to add a record of the file to a database. Then after this you can link comments to the id of the file. I am sure I can make a video on this. If you subscribe then you will be told when it is uploaded. 😉

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  18. OnYourTodProd

    Very nice. I now have a upload part to my web page. But if I wanted to have a comment to go along with the file that is being uploaded how would I do this? You see i want members to be able to login then upload a picture and a comment to their own page. Do you know how this is done? I need help!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
  19. Martyj2009

    couldn’t you use $_FILE[‘file’][‘type’] instead of exploding the name.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)

Leave a Reply