I need some advice on safely allowing people to bulk upload products to our site using tab-delimited txt files only. My first concern is making sure the file that someone is uploading is actually a plain text file and not a hostile fake.
Here is the code I have so far for the basic errors and sanitization:
$allowedExts = array("txt");
$extension = end(explode(".", $_FILES["ufile"]["name"]));
if ($_FILES['ufile']['type'] != 'text/plain' || !in_array($extension, $allowedExts)) {
echo "Error: This is not a 'txt' file.";
exit();
}
if ($_FILES["ufile"]["error"] > 0)
{
echo "Error: Something is wrong with this this file: ".$_FILES["ufile"]["error"];
exit();
}
Let me know if this look good so far or if there needs to be anything else added here. I understand that mime_content_type is also depreciated and there is a better method out there?
Any advice would be greatly appreciated. I’ve never added a feature like this to my site, so this is very new to me.
Text files have no mime type, anything can be classified as such. Don’t bother checking the mime type or any of that. As long as you only access it as textural data it won’t cause harm. The next step of course will be to process the data. The moment the format is incorrect, dump it as an invalid file.