How do I restrict the file extensions allowed in an upload with php by pulling apart a file name?

I use the substr() function to do this. http://us3.php.net/substr The point is to check the extension, and then do not move the file from its temporary location to its new location if the substring at the end of the filename doesn't match the one you are looking for. The filename will be located in the $_FILES array.

preg_match() ?

do a google.

These questions can be easily answerd by google :P

you can find a prebuily function.


observe:

http://www.google.com/search?q=php+h...e7&rlz=1I7ADBF

look at the first result...

Checking the extension for restricting upload files is COMPLETELY Wrong (the file may not even have extension), the $_FILES array that you get after one file is uploaded includes the file type in string format (e.g.: $_FILES['userfile']['type'] returns 'image/jpeg' for a jpeg image), you have to use that to restrict the allowed file types.

Just create an array with the allowed file types, then check if the type being uploaded is inside that array values and then make the script decision to upload or give error

its doesnt particularly make a differance.

Unless you can prove otherwise i dont see any differance accecpt using the file extension is a easier method.

Dan

Quote:

its doesnt particularly make a differance.

Not, effectively not in the majority of cases.

But, because there is always a "but", it can if someone is advised of a specific bug (for example, in the libjpeg library which is used by gd to read/write jpeg files) on the server to exploit a known bug.

A buffer overflow, or a dos attack using such bugs are not that rare. So even if it's not a big difference on the script you work for, it could be depending the server it runs from.
And this is a good enough reason to do it right first, in my opinion.

In fact, the mime-type of the uploaded file is defined by browser basing on file extension so relying on mime type is absolutely the same as relying on file extension. Most reliable way to check the file type is either calling some command-line utility that should handle files of that type or (which is limited only to image files) calling getimagesize() which will tell you about file type according to its header, not extension or whatever.

Quote:

In fact, the mime-type of the uploaded file is defined by browser basing on file extension

Not quite so....
If the server is linux/unix based, it's the server who determine it using what's called the "magic file".
This magic file is a list of rules about how to determine the mime-type of files, based on their content.
http://linux-command.5w.cz/manual/file

Quote:

The magic number tests are used to check for files with data in partic‐
ular fixed formats. These files have a ‘magic number’ stored in a particular place near the
beginning of the file that tells the UNIX operating system that the
file is a binary executable, and which of several types thereof. The
concept of ‘magic number’ has been applied by extension to data files.
Any file with some invariant identifier at a small fixed offset into
the file can usually be described in this way. The information identi‐
fying these files is read from /etc/magic and the compiled magic file
/usr/share/file/magic.mgc , or /usr/share/file/magic if the compile
file does not exist. In addition file will look in $HOME/.magic.mgc ,

or $HOME/.magic for magic entries.

If you upload a mp3 file, with it's extension changed to .zip, the server will still be able to identify it as mp3.
If you use linux as your primary os, you can see it in most of the files manager, as it will be able to put a specific icon on files even without extensions.
I believe that's the same process that mac's are using.

If you have access to a linux command line, you can see it by yourself by using the command "file {path to the file}".

Code:

tmo@devp4:~$file Acceptable\ In\ The\ 80\'s.mp3 
Acceptable In The 80's.mp3: Audio file with ID3 version 23.0 tag, MP3 encoding

I rename the file with an .txt extension, and check it again:

Code:

tmo@devp4:~$ mv Acceptable\ In\ The\ 80\'s.mp3 Acceptable\ In\ The\ 80\'s.txt
tmo@devp4:~$ file Acceptable\ In\ The\ 80\'s.txt 
Acceptable In The 80's.txt: Audio file with ID3 version 23.0 tag, MP3 encoding

Quote:

Most reliable way to check the file type is either calling some command-line utility that should handle files of that type

There again, there is an PHP extension for that, but it must be installed from the PECL repository: http://www.php.net/manual/en/ref.fileinfo.php

I just offer some way which will work independently of extensions installed or not and linux configured correctly or not.

Actually mtishetsky is right, php doesn't checks the mime-type of the uploaded file. Doesn't matter if it is running on a windows based server or linux based server, browser sets this value.

See here

Quote:

$_FILES['userfile']['type']

The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

Quote:

You could use the $_FILES['userfile']['type'] variable to throw away any files that didn't match a certain type criteria, but use this only as first of a series of checks, because this value is completely under the control of the client and not checked on the PHP side.

I stand corrected.
I never saw those notices that the mime types where coming from the browser.

Wow we knew something Tripy didnt. i feel special.

Quote:

Originally Posted by dansgalaxy

Wow we knew something Tripy didnt. i feel special.

Lol Dan...
I learn every days, and often right here, from peoples like John (Learning Newbie) [ http://www.webmaster-talk.com/the-da...tml#post574761 ]

You know, working for almost 10 years now in the field brings you a lot of experiences about what can be done, and the best way to do it.

Just try to compare yourself today, reading back questions you have asked when you came here for the first time. And I know you have asked a lot, you have surely gained a lot of experience since then.

o god please dont
i dont want to look its embarising

Just playing with you