Limiting upload file type

Anon

I have a form which allows users to upload files. From this form, I want to accept all file types, other than PHP files, because of security concerns.

So my question is how can I limit file types using PHP ? I was thinking to do regular expressions and eliminate anything that has ".php", but that's not really reliable, is it ?

Has anyone done this ?

Thanks.

Anon

It's as good as anything else. Depending on how the client system is configured, checking the "_type" attribute of the uploaded file will probably get you something like:

"application/x-unknown-content-type-php_auto_file"

which won't be very helpful to you unless you want to scan for the "php" in it.

When your script processes the uploaded file, the file is placed in a temporary directory by default and your script must copy it to somewhere useful. When you do this, you can name the copied file whatever you want. Just don't name it with a ".php" or ".exe" or anything else dangerous.

-- Rich --

Anon

I am building content management type of applications, so I have to allow users to name the files as they want. But I will take the regular expression and _type approaches for now.

I guess it is much secure to specify the file types we accept, rather than specifying the ones we don't accept.

Thank you very much for your help.