Verifying File Extensions of Files Uploaded?

[lynlimz]

Hi,

I am working on this web-based upload in PHP.
I'm stuck at this current problem.

How do I check file extensions and allow only certain type of files being uploaded?

So it'll forbid all files like .php to be uploaded. even .php.php would be forbidden. (just some trick i've seen people trying to beat the script)

Thanks.
Any replies would be gretaly appreciated.

[firepages]

you could try something like..

//where $uploaded is the name of the file input field (php adds the _name bit)//
$ext=substr($uploaded_name,-3,3);

//then wherever//
if($ext!="txt" || $ext!="jpg"){ ... etc etc

or along those lines anyway.

[lynlimz]

thanks! i'll give it a go

[freakysid]

You can additionally check the mime type of the uploaded file but this relies on the browser providing this info (I don't know which do/don't)

$userfile_type
or
$HTTP_POST_FILES['userfile']['type']

The mime type of the file, if the browser provided this information. An example would be "image/gif".

Note that the "$userfile" part of the above variables is whatever the name of the INPUT field of TYPE=file is in the upload form. In the above upload form example, we chose to call it "userfile"

http://www.php.net/manual/en/features.file-upload.php

[lynlimz]

Cool.
Thanks freaky. I thought about that. But I decided I didn't require that.

I just need the ability to upload zip/exe and set a limit of 10 mb.

the file size limit is set via the primary server config, so its safe.

I just want to make sure people cannot upload .php files for example, or .htaccess etc.

[lynlimz]

Originally posted by firepages
you could try something like..

//where $uploaded is the name of the file input field (php adds the _name bit)//
$ext=substr($uploaded_name,-3,3);

//then wherever//
if($ext!="txt" || $ext!="jpg"){ ... etc etc

or along those lines anyway.

btw..these do not work...somehow/..