SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict
    Join Date
    Apr 2002
    Location
    Miami
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    check file upload type

    An image uploaded from one machine is allowed another image uploaded from another is not. Here is my code.

    PHP Code:
    if ($type != "image/jpeg" AND $type != "image/gif" AND $type != "application/msword" 
        
    AND $type != "application/pdf" AND $type != "application/ms-excel") {
        echo(
    "File Name: $name<br>File Type: $type<br>File Size: $size
        <br>is not an acceptable file type"
    );
        exit; 
    This is for a new job contact form. In most cases we will be receiving data files excel and text. I would like to attach the name of the upload file to a jobticket that gets created and have it force download instead of opened.

    Since I also had mixed results with the workarounds for forcing a download, I am considering just accepting .zip files.

    My question is

    1. how can I just check for a .zip file
    2. Are there any security issues with doing it this way.

    The upload form is for authorized clients so its not going to be out there for everybody but I want to take reasonable precautions.

    Thanks

  2. #2
    La la la la la bronze trophy lieut_data's Avatar
    Join Date
    Jun 2003
    Location
    Waterloo, ON
    Posts
    1,517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by whiterabbit

    1. how can I just check for a .zip file
    The mime-type for a zip would (I believe) be

    Code:
    application/x-zip
    Quote Originally Posted by whiterabbit
    2. Are there any security issues with doing it this way.
    I'm not too sure what you mean by 'security issues' -- Can a user fake a mime-type? Yes. Can they rename sobig.f in such a fashion that it would appear to be a zip? Probably.

    But, if you take the precautions to always send back the file with the appropriate (zip) headers, and force the file-name extension to be .zip, your chances of security breaches are minimal. The end-user should be running a virus-scanner anyway
    My name is Steve, and I'm a super-villian.

  3. #3
    SitePoint Addict
    Join Date
    Apr 2002
    Location
    Miami
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lieut_data
    The mime-type for a zip would (I believe) be

    Code:
    application/x-zip
    if you take the precautions to always send back the file with the appropriate (zip) headers, and force the file-name extension to be .zip, your chances of security breaches are minimal. The end-user should be running a virus-scanner anyway
    I will try application/x-zip

    I dont know how to send the file back with the zip headers, can you point me in the right direction. We do have realtime virus protection enabled.

    Thanks

  4. #4
    SitePoint Addict sleepingdanny's Avatar
    Join Date
    Oct 2002
    Location
    Israel
    Posts
    270
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can also use "filetype($file)" to check a zip file or any other files that you
    uploaded through FTP - it will output the type like that... "gif/image"...
    Danny Grubman @ http://www.our-network.net
    "Intellectuals solve problems; geniuses prevent them."

  5. #5
    SitePoint Addict
    Join Date
    Apr 2002
    Location
    Miami
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sleepingdanny
    You can also use "filetype($file)" to check a zip file or any other files that you
    uploaded through FTP - it will output the type like that... "gif/image"...
    Okay thanks, I will look into that

  6. #6
    SitePoint Evangelist
    Join Date
    Nov 2001
    Location
    UK
    Posts
    466
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    actually filetype($_FILES['formfield']['tmp_name']) is reportedly better than just using the $_FILES['formfield']['type'] return as it uses PHP and Apache to sniff the filetype. The ['type'] return uses the browser sent headers which vary depending upon machine - eg a Mac using one browser may send a text file as text/plain while a PC sends it as plaintext (example only). Hence using the filetype call being better.
    teckis - that's news to me.

  7. #7
    SitePoint Addict
    Join Date
    Apr 2002
    Location
    Miami
    Posts
    214
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Im trying to understand what is happening. If I use $_POST_FILES instead of $HTTP_POST_FILES
    in the below code I get my error message but the upload still works??

    I am on PHP 4.1

    if(empty($HTTP_POST_FILES["upfile"])) {
    echo ("Error: No file given (Mozilla), file doesn't exist (Konqueror, Mozilla)");
    }


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •