File Restrictions in a PHP Upload

You have a funny-picture website.  People can upload their funny pictures for review, and if you judge it worth, it is displayed on the page.

But you don’t want to waste your time sifting through unrelated file types – .doc, .exe, .zip, .dmg – to separate the pictures from the undesirables.  And you also don’t want some joker to upload a 10 gig photo.  What can stand in the gap to serve as gatekeeper, letting in only the worthy, and leaving the 50 gig Excel file to linger outside the walls of your server?

How about a PHP script?  You’ll need one anyway to handle the uploading of the files, which we learned about in Victor’s tutorial on it here.  What I’m going to show you today is how to limit file type and file size for the uploaded file.

The HTML is essensially the same here as in Victor’s tutorial, so I won’t show that.  The PHP is where the action’s at:

<?php

  // This function is called if there is an error, and kills the script
  function died($error) {
    echo "Not working, dude.  See below.<br/><br/>";
    echo $error;
    die();
  }

  // Checks if the file type of file1 is both either a .tiff or .gif and less than 10240 bytes
  if (($_FILES["file1"]["type"] == "image/tiff")
  || ($_FILES["file1"]["type"] == "image/gif")
  && ($_FILES["file1"]["size"] &lt; 10240))
  {
    // Checks if a file of the same name already exists in the destination
    // folder, and if so, displays and error and calls the died function
    if (file_exists("upload/" . $_FILES["file1"]["name"]))
    {
      $error_message .= $_FILES["file1"]["name"] . " already exists. ";
      died($error_message);
    }

    else
    {
      move_uploaded_file($_FILES["file1"]["tmp_name"],
      "upload/" . $_FILES["file1"]["name"]);
    }
  }

  else
  {
    died("Invalid file type or size.");
  }

  // Upon success, redirect to this html page
  header('Location: submited.html');

?>

You’ll want a lot more in your script than this, for sure, but for the sake of highlighting the topic, I’ve stripped the script.  You’ll see that the syntax is almost intuitive; you check for equality of

$_FILES["filename"]["type"]

with the file type you want.  For size, check

$_FILES["filesname"]["size"]

against the minimum or range you want, in bytes.

And that’s all it takes to restrict file type and size.  Just put your move_uploaded_file inside of an if conditional, with the conditions being that the file meets the type and size requirements.

Now, how does the script check the file type and size, if certain types and sizes prevent the file’s uploading?  Obviously, the file IS uploaded, but until you call move_uploaded_file, the file has no home, so once the script dies the file is lost.  What this script really does is prevent unwanted file types or sizes from being saved to your server.

The image/gif, or image/tif, or audio/wav syntax of writing file types is called the MIME type.  Stands for Multipurpose Internet Mail Extensions.  An exhaustively comprehensive list of MIME types can be found here, but below I’ve listed the more common ones.

You should always be wary of allowing people to upload to your server, being as a person’s malice is sometimes amplified by the anonymity offered by the Web.  Be sure to read up on PHP security before you put an upload button on your site.  An introduction can be found here.