SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    318
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Post Restrict extensions for upload (blob)

    Hi, I am using a fileupload script which stores data in medium blob.

    I want to have a check and allow only txt, doc and zip files to be uploaded, for other file extensions it should show an error.

    Where and how do to this task?

    The code is as

    PHP Code:
    <?
    if(isset($_POST['upload']))
    {

    // Strip slashes from all GPC data
    if (get_magic_quotes_gpc()) {
        function 
    strip_gpc_slashes(&$array) {
            if (!
    is_array($array)) {
                return;
            } foreach (
    $array as $key => $val) {
                
    is_array($array[$key]) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes($val));
            }
        }
           
        
    $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST, &$_FILES);
        
    strip_gpc_slashes($gpc);
    }
            
    $fileName $_FILES['userfile']['name'];
            
    $tmpName  $_FILES['userfile']['tmp_name'];
            
    $fileSize $_FILES['userfile']['size'];
            
    $fileType $_FILES['userfile']['type'];
            
            
    $fp fopen($tmpName'r');
            
    $content fread($fp$fileSize);
            
    $content mysql_real_escape_string($content);
            
    fclose($fp);
            
            
    $fileName mysql_real_escape_string($fileName);
            
    $contributed_by mysql_real_escape_string($_POST['contributed_by']);
            
    $title mysql_real_escape_string($_POST['title']);
                
            include 
    'library/config.php';
            include 
    'library/opendb.php';
            
            
    $query "INSERT INTO upload (contributed_by, title, filename, size, type, content ) ".
                     
    "VALUES ('$contributed_by', '$title', '$fileName', '$fileSize', '$fileType', '$content')";

            
    mysql_query($query) or die('Error, query failed');                    
            include 
    'library/closedb.php';
            
            echo 
    "<br>File $fileName uploaded<br>";
    }        
    ?>
    Also any suggestions about the security concerns or an efficient code are welcome

  2. #2
    SitePoint Enthusiast
    Join Date
    Apr 2002
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i cant rattle the code off the top of my head but it looks like you already have the extension in the $filetype variable

    an if statement like this may do the trick
    if($filetype == .zip || .text etc){
    upload
    }else{
    error message;
    }

    Hopefully this helps

  3. #3
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $t=array("application/zip","text/plain");
    if(!
    in_array($fileType,$t)){
      die(
    "file type not allowed");
      } 
    my mobile portal
    ghiris.ro

  4. #4
    SitePoint Addict Wildhoney's Avatar
    Join Date
    Apr 2006
    Location
    Nottingham
    Posts
    246
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I realise this post isn't in the database section but I will hand out some advice nevertheless.

    You should never store large files in databases for a whole plethora of reasons.

    Number 1
    Your database will get too large, too soon. A large database equals a slower database - especially if it badly designed.

    Number 2
    You will have to use OPTIMIZE TABLE a lot for if you're removing and updating the table frequently as you will soon have gaps appearing. Gaps in tables means a slower table.

    The solution? Store the filename in your database, set it as a varchar of say 12 characters in length. Create a random string and append the extension. Use that stored filename as the link to your image stored in a standard file. Then get your image like so:

    Code:
    SELECT CONCAT_WS('/', 'images', myColumn1) AS image ...
    Or of course you can use the PHP way:

    PHP Code:
    My Image = <?php echo 'images/' $aRow['myColumn1']; ?>
    But never, ever use a BLOB to store entire files. You will soon run into a lot of issues as the site grows.

    Also, here is my much cleaner and lucid snippet of code for checking extensions in PHP:

    PHP Code:

    $aImageExtensions 
    = array('jpg''jpeg''gif''wbmp''png');
    $szExtension array_pop(explode('.'$_FILES['objUpload']['name']));
    $bExtensionAllowed false;

    foreach(
    $aImageExtensions as $szExtItem)
    {
        if(
    strtolower($szExtension) == strtolower($szExtItem))
            
    $bExtensionAllowed true;

    TalkPHP.com - The Friendly PHP Community

    Watch Reaper Online - Watch Chuck Online


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •