File Restrictions in a PHP Upload

You have a funny-picture website. People can upload their funny pictures for review, and if you judge it worth, it is displayed on the page.
But you don’t want to waste your time sifting through unrelated file types – .doc, .exe, .zip, .dmg – to separate the pictures from the undesirables. And you also don’t want some joker to upload a 10 gig photo. What can stand in the gap to serve as gatekeeper, letting in only the worthy, and leaving the 50 gig Excel file to linger outside the walls of your server?
How about a PHP script? You’ll need one anyway to handle the uploading of the files, which we learned about in Victor’s tutorial on it here. What I’m going to show you today is how to limit file type and file size for the uploaded file.
The HTML is essensially the same here as in Victor’s tutorial, so I won’t show that. The PHP is where the action’s at:
<?php // This function is called if there is an error, and kills the script function died($error) { echo "Not working, dude. See below.<br/><br/>"; echo $error; die(); } // Checks if the file type of file1 is both either a .tiff or .gif and less than 10240 bytes if (($_FILES["file1"]["type"] == "image/tiff") || ($_FILES["file1"]["type"] == "image/gif") && ($_FILES["file1"]["size"] < 10240)) { // Checks if a file of the same name already exists in the destination // folder, and if so, displays and error and calls the died function if (file_exists("upload/" . $_FILES["file1"]["name"])) { $error_message .= $_FILES["file1"]["name"] . " already exists. "; died($error_message); } else { move_uploaded_file($_FILES["file1"]["tmp_name"], "upload/" . $_FILES["file1"]["name"]); } } else { died("Invalid file type or size."); } // Upon success, redirect to this html page header('Location: submited.html'); ?>
You’ll want a lot more in your script than this, for sure, but for the sake of highlighting the topic, I’ve stripped the script. You’ll see that the syntax is almost intuitive; you check for equality of
$_FILES["filename"]["type"]
with the file type you want. For size, check
$_FILES["filesname"]["size"]
against the minimum or range you want, in bytes.
And that’s all it takes to restrict file type and size. Just put your move_uploaded_file inside of an if conditional, with the conditions being that the file meets the type and size requirements.
Now, how does the script check the file type and size, if certain types and sizes prevent the file’s uploading? Obviously, the file IS uploaded, but until you call move_uploaded_file, the file has no home, so once the script dies the file is lost. What this script really does is prevent unwanted file types or sizes from being saved to your server.
The image/gif, or image/tif, or audio/wav syntax of writing file types is called the MIME type. Stands for Multipurpose Internet Mail Extensions. An exhaustively comprehensive list of MIME types can be found here, but below I’ve listed the more common ones.
MEME | Extension |
application/octet-stream | .bin |
application/x-msdownload | .exe |
application/pdf | |
application/vnd.openxmlformats-officedocument.wordprocessingml.document | .docx |
application/msword | .doc |
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet | .xlsx |
image/bmp | .bmp |
image/gif | .gif |
image/jpeg | .jpeg, .jpg |
image/tiff | .tff |
audio/x-wav | .wav |
audio/x-ms-wma | .wma |
audio/mp4 | .mp4a |
audio/ogg | .ogg |
text/plain | .txt |
video/ogg | .ogv |
video/mp4 | .mp4 |
video/mpeg | .mpeg |
video/x-msvideo | .avi |
You should always be wary of allowing people to upload to your server, being as a person’s malice is sometimes amplified by the anonymity offered by the Web. Be sure to read up on PHP security before you put an upload button on your site. An introduction can be found here.
If you are going for most excellent contents like I do, only go to see this web site every day for the reason that it offers feature contents, thanks
When some one searches for his essential thing, thus he/she wants to be available
that in detail, therefore that thing is maintained over here.
Just desire to say your article is as amazing. The clearness on your publish is just
cool and i can assume you’re an expert in this subject.
Fine along with your permission allow me to take hold of your RSS feed to keep up
to date with coming near near post. Thanks 1,000,000 and
please carry on the rewarding work.