PHP File Upload Tutorial – Limit file extensions too! Tagged on: extensions, File, Limit, Tutorial, Upload By SchoolofWeb.org | September 12, 2010 | Third Party Videos | 19 Comments | ← Sales Representative IT service sales J2EE Architecture Developer → 19 thoughts on “PHP File Upload Tutorial – Limit file extensions too!” liviu811 September 12, 2010 at 1:48 am what screen capture software you used? W3Hut September 12, 2010 at 2:31 am @moro116 Um….. English… moro116 September 12, 2010 at 3:22 am lol. what language is he speakin’? W3Hut September 12, 2010 at 3:37 am @FeedMEBabies You could use an array, but it depends on wether or not the function is checking for case sensative strings or not. There probably is a way to write less code but atleast this way you know it’s checking both cases. FeedMEBabies September 12, 2010 at 4:24 am is there a wildcard symbol? couldn’t you put that on jpg so it recognizes it in caps and lowercse? artistdream11 September 12, 2010 at 4:55 am Hello ! I am having problem in executing this code, Please can anybody share this code. I will be very thankful to you all. artistdream11 September 12, 2010 at 5:43 am Hello ! Please I need this code . I am having problem in executing that code. I will be very thankful to you for sharing that code too. Please do the need as soon as you can. JordiFun September 12, 2010 at 6:43 am If you read again you see i was talking about a combination of those two (extension and mime type). While showing your file via another PHP script, you can force it to a mimme type via the headers. And? still, checking the string is NOT 100% safe. Just again: Read about the (%00) null byte. Other security issues are also occurring while using the ‘string extension only check’. //Deleted and reposted; type mistake. W3Hut September 12, 2010 at 6:47 am @JordiFun Usually I would work on the last piece of the array but to simplify this I chose to use the second piece I see the danger in this and our right to think so, However this is one of the MOST secure ways of limiting the file extension. However you can provide a more secure way using a combination of all of the methods. And in fact the most insecure way of checking the file extension is using the MIME type as you an easily fool PHP into believing you are using an allowed extension. JordiFun September 12, 2010 at 7:41 am Well, you’d think it’s going that way. And i thought the same way before i read an security blog post somewhere talking about exploits in upload scripts. It had something todo with using %00 in the file name. With that thing you were able to ‘trick’ an upload script by telling its als .jpg, but that file simply contained PHP. I never tried it, but i assume it’s possible. Just googled it (Its a dutch website) and the %00 characters have the value of NULL. So PHP may cut it off the string. Martyj2009 September 12, 2010 at 7:42 am @JordiFun Well if the file says it’s a jpg it cannot be executed as anything but a jpg. If you rename a .exe to a .jpg on your pc it will try to open in a photo program. JordiFun September 12, 2010 at 7:49 am True, but since security is more an more important i don’t think that a file extension check only is not safe enough. I’d use the extension and mime type and combine those two. Martyj2009 September 12, 2010 at 8:47 am @JordiFun You could aos do $MyArray[count($MyArray) – 1] and that will get the last element. JordiFun September 12, 2010 at 9:04 am Well, what he’s doing is really unsafe! What if i call my file: exploit.jpg.php ?? jpg will still be the second array element (at position 1). So, if you want a safe upload scripts, don’t use this one. TIPS: – Use ‘in_array’ to check your extension. Make an array with $allowed+extension = Array() and check your file extention. – You don’t have to lower and uppercase check your extension. Just use ‘strtolower’ (or upper, just what you want.) Well, to much others things can be improved… banule September 12, 2010 at 9:56 am i cant find the files anywhere… i av checked byteforums. it is under what? moussaemad September 12, 2010 at 10:53 am This is what I was thinking about as well… W3Hut September 12, 2010 at 11:09 am You would have to include a mysql statement to add a record of the file to a database. Then after this you can link comments to the id of the file. I am sure I can make a video on this. If you subscribe then you will be told when it is uploaded. 😉 OnYourTodProd September 12, 2010 at 11:52 am Very nice. I now have a upload part to my web page. But if I wanted to have a comment to go along with the file that is being uploaded how would I do this? You see i want members to be able to login then upload a picture and a comment to their own page. Do you know how this is done? I need help! Martyj2009 September 12, 2010 at 12:18 pm couldn’t you use $_FILE[‘file’][‘type’] instead of exploding the name. Leave a Reply Cancel replyYou must be logged in to post a comment.