PHP File Upload, How to Restrict File Upload Type

php file upload, how to restrict file upload type

The below just uses the mime types to validate a file, then checks the size of both. For a list of most mime types see here or google.

function allowed_file(){

//Add the allowed mime-type files to an 'allowed' array 
 $allowed = array('application/doc', 'application/pdf', 'another/type');

//Check uploaded file type is in the above array (therefore valid)  
    if(in_array($_FILES['resume']['type'], $allowed) AND in_array($_FILES['reference']['type'], $allowed)){

   //If filetypes allowed types are found, continue to check filesize:

  if($_FILES["resume"]["size"] < 400000 AND $_FILES["reference"]["size"] < 400000 ){

    //if both files are below given size limit, allow upload
    //Begin filemove here....

    }

    }

}

How to limit file upload type file size in PHP?

Something that your code doesn't account for is displaying multiple errors. As you have noted above it is possible for the user to upload a file >2MB of the wrong type, but your code can only report one of the issues. Try something like:

if(isset($_FILES['uploaded_file'])) {
    $errors     = array();
    $maxsize    = 2097152;
    $acceptable = array(
        'application/pdf',
        'image/jpeg',
        'image/jpg',
        'image/gif',
        'image/png'
    );

    if(($_FILES['uploaded_file']['size'] >= $maxsize) || ($_FILES["uploaded_file"]["size"] == 0)) {
        $errors[] = 'File too large. File must be less than 2 megabytes.';
    }

    if((!in_array($_FILES['uploaded_file']['type'], $acceptable)) && (!empty($_FILES["uploaded_file"]["type"]))) {
        $errors[] = 'Invalid file type. Only PDF, JPG, GIF and PNG types are accepted.';
    }

    if(count($errors) === 0) {
        move_uploaded_file($_FILES['uploaded_file']['tmpname'], '/store/to/location.file');
    } else {
        foreach($errors as $error) {
            echo '<script>alert("'.$error.'");</script>';
        }

        die(); //Ensure no more processing is done
    }
}

Look into the docs for move_uploaded_file() (it's called move not store) for more.

Restrict .php File upload

class Upload {

private $destinationPath;
private $errorMessage;
private $extensions;
private $allowAll;
private $maxSize;
private $uploadName;
private $seqnence;
private $imageSeq;
public $name = 'Uploader';
public $useTable = false;

function setDir($path) {
    $this->destinationPath = $path;
    $this->allowAll = false;
}

function allowAllFormats() {
    $this->allowAll = true;
}

function setMaxSize($sizeMB) {
    $this->maxSize = $sizeMB * (1024 * 1024);
}

function setExtensions($options) {
    $this->extensions = $options;
}

function setSameFileName() {
    $this->sameFileName = true;
    $this->sameName = true;
}

function getExtension($string) {
    $ext = "";
    try {
        $parts = explode(".", $string);
        $ext = strtolower($parts[count($parts) - 1]);
    } catch (Exception $c) {
        $ext = "";
    }
    return $ext;
}

function setMessage($message) {
    $this->errorMessage = $message;
}

function getMessage() {
    return $this->errorMessage;
}

function getUploadName() {
    return $this->uploadName;
}

function setSequence($seq) {
    $this->imageSeq = $seq;
}

function getRandom() {
    return strtotime(date('Y-m-d H:i:s')) . rand(1111, 9999) . rand(11, 99) . rand(111, 999);
}

function sameName($true) {
    $this->sameName = $true;
}

function uploadFile($fileBrowse) {
    $result = false;
    $size = $_FILES[$fileBrowse]["size"];
    $name = $_FILES[$fileBrowse]["name"];
    $ext = $this->getExtension($name);
    if (!is_dir($this->destinationPath)) {
        $this->setMessage("Destination folder is not a directory ");
    } else if (!is_writable($this->destinationPath)) {
        $this->setMessage("Destination is not writable !");
    } else if (empty($name)) {
        $this->setMessage("File not selected ");
    } else if ($size > $this->maxSize) {
        $this->setMessage("Too large file !");
    } else if ($this->allowAll || (!$this->allowAll && in_array($ext, $this->extensions))) {

        if ($this->sameName == false) {
            $this->uploadName = $this->imageSeq . "-" . substr(md5(rand(1111, 9999)), 0, 8) . $this->getRandom() . rand(1111, 1000) . rand(99, 9999) . "." . $ext;
        } else {
            $this->uploadName = $name;
        }
        if (move_uploaded_file($_FILES[$fileBrowse]["tmp_name"], $this->destinationPath . $this->uploadName)) {
            $result = true;
        } else {
            $this->setMessage("Upload failed , try later !");
        }
    } else {
        $this->setMessage("Invalid file format !");
    }
    return $result;
}

function deleteUploaded() {
    unlink($this->destinationPath . $this->uploadName);
}

}

How to use it : 

function callMe(){
                $uploader   =   new Upload();
                $directory = "NAMEDIR"
                if(!is_dir($directory)){
                    mkdir($directory);
                }
                $uploader->setDir($directory);
                $uploader->setExtensions(array('jpg','jpeg','png','gif'));  //allowed extensions list//
                $uploader->setMaxSize(.5);                          //set max file size to be allowed in MB//
                $uploader->sameName(true);
                if($uploader->uploadFile('file')){   //txtFile is the filebrowse element name //     
                    $image  =   $uploader->getUploadName(); //get uploaded file name, renames on upload//

                    echo json_encode(array("success"=>true,"message"=>"Success Add","image"=>$directory.$image,"image_upload"=>$image));

                }else{//upload failed
                    echo json_encode(array("success"=>false,"message"=>$uploader->getMessage(),"image"=>""));
                }
            }
            callMe();

Limit file format when using input type= file ?

Strictly speaking, the answer is no. A developer cannot prevent a user from uploading files of any type or extension.

But still, the accept attribute of <input type = "file"> can help to provide a filter in the file select dialog box provided by the user's browser/OS. For example,

<!-- (IE 10+, Edge (EdgeHTML), Edge (Chromium), Chrome, Firefox 42+) --> 
<input type="file" accept=".xls,.xlsx" />

How to restrict file types of files uploaded through TYPO3 Tca file upload field?

You need to add the overrideChildTca and filter to your TCA configuration to override the allowed file extensions, like it is described on https://docs.typo3.org/m/typo3/reference-tca/9.5/en-us/ColumnsConfig/Type/Inline.html#file-abstraction-layer

Restrict file upload to just jpegs with php

getimagesize tells you what format the file is in

as per bgy's comment, you should also force the file extension to be what you want:

 $new_file_name=$renamed_file_name.'.'.$ext; // wrong, uses data from the client

 $new_file_name=$renamed_file_name.'.jpg';   // ok, just what we want

never trust and never use filenames provided by the client.


Related Topics

Type Casting for User Defined Objects

Converting a Number Base 10 to Base 62 (A-Za-Z0-9)

What Is the Equivalent of JavaScript's Encodeuricomponent in PHP

PHP Order Array by Date

Configure Multiple Databases in Zf2

How to Auto Call Function in PHP for Every Other Function Call

PHP Can't Connect to MySQL with Error 13 (But Command Line Can)

Codeigniter Transactions

How to Place Two Forms on the Same Page

How to Pull First 100 Characters of a String in PHP

Detect If PHP Session Exists

How to Get Unique Value in Multidimensional Array

How to Use Single Quote Inside an Echo Which Is Using Single Quote

Getting Node's Text in PHP Dom

PHP Recursive Directory Path

Sqlstate[42S22]: Column Not Found: 1054 Unknown Column - Laravel

Subtract Time in PHP

Can Someone Explain the /E Regex Modifier


Leave a reply



Submit