SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Case insensitive string match

    Hi,

    I have a form with image upload and I check the allowed file extensions using the following array:

    PHP Code:
    $allowedExtensions = array('jpg''jpeg''gif''png'); 
    Is there a way to express the values in above array in a case insensitive way so that "JPG", "Jpg" and "jpg" or "PNG", "Png" and "png" will all be accepted? I know I can add 6 more elements to the array to accomplish this but maybe there is a solution with preg_match() or other function that I can't think of.

    Thanks for your ideas.

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,892
    Mentioned
    138 Post(s)
    Tagged
    2 Thread(s)
    apply strtolower to the extension of the uploaded file and compare that to your array using in_array.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    Grüße aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,312
    Mentioned
    178 Post(s)
    Tagged
    8 Thread(s)
    Hi there nayen,

    What I would do, is to get the extension of the uploaded file, then downcase it and see if it's in the array.
    A bit like this:

    PHP Code:
    $fileName "myfile.JPG";
    $allowedExtensions = array('jpg''jpeg''gif''png'); 

    $arr explode("."$fileName);
    $extensionType strtolower(end($arr));
    echo 
    in_array($extensionType$allowedExtensions);; 
    Hope that helps.

    Edit: Rémon was quicker

  4. #4
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's clever, couldn't think of it. Thank you both.

  5. #5
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,810
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    Not sure if you thought about this, or if there are reasons not to do this, but I usually do not validate against extension. Instead I validate against MIME type and that is provided in the Superglobals $_FILES via the ['type'] index.

    Example from php.net
    PHP Code:
    /*** 
        now verify the mime, i did not find 
        something more easy than verify the 
        'image/' ty^pe. if wrong tell it! 
    ***/ 

        
    if(!preg_match('/image\/i'$_FILES['attachment']['type'])) { 

          echo 
    'The uploaded file is not an image please upload a valid file!'

        } 
    Why do I prefer MIME type? Because I'm a 98% Linux user and 90% of my files do not have extensions or have extensions that may not be typical
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  6. #6
    SitePoint Addict
    Join Date
    Nov 2009
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Not sure if you thought about this, or if there are reasons not to do this, but I usually do not validate against extension. Instead I validate against MIME type and that is provided in the Superglobals $_FILES via the ['type'] index.

    Example from php.net
    PHP Code:
    /*** 
        now verify the mime, i did not find 
        something more easy than verify the 
        'image/' ty^pe. if wrong tell it! 
    ***/ 

        
    if(!preg_match('/image\/i'$_FILES['attachment']['type'])) { 

          echo 
    'The uploaded file is not an image please upload a valid file!'

        } 
    Why do I prefer MIME type? Because I'm a 98% Linux user and 90% of my files do not have extensions or have extensions that may not be typical
    The example script I found on the web uses both extension validation and MIME type validation. I don't have that much knowledge to question why. If you are saying that checking MIME types will be enough, then I will use your code.

  7. #7
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,892
    Mentioned
    138 Post(s)
    Tagged
    2 Thread(s)
    While I agree that checking mime type is better than checking file extension, I wouldn't use $_FILES to get it since that is user provided information and may well be false (see comment 1 at php.net/manual/en/features.file-upload.php).
    I would use file_info instead.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,810
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    MIME Type is the type of file you received. An extension can be anything. For example, I've seen kiddie hacker scripts that use image uploaders to get their scripts on a remote server because the only validation used is extension. So they upload my-malicious-file.php.jpg, which passes some validation (not all), and they then look for a way to rename it and run it, or just a way to run it.

    The MIME Type for that particular example would not contain 'image/', so it would fail the validation. It's really just my personal choice to use MIME Type over extension, but I think it is a logical decision (or at least a good topic for a bit of discussion )
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  9. #9
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    4,810
    Mentioned
    141 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    While I agree that checking mime type is better than checking file extension, I wouldn't use $_FILES to get it since that is user provided information and may well be false (see comment 1 at php.net/manual/en/features.file-upload.php).
    I would use file_info instead.
    To be fair, I was lazy and took that straight from php manual (wanted to verify it was part of $_FILES), but yes, file_info is much much safer or you can use getimagesize() if you want to read other items too, such as the width/height of the image.
    Be sure to congratulate xMog on earning April's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •