[RESOLVED] Add upload restriction to my code

teamfox20

Can someone show me how to add a restriction to files uploaded to the code below. I only want PDF files to be uploaded.

$uploaddir="upload/";
if(isset($_FILES['AFile']['error'])){ 
   foreach ($_FILES["AFile"]["error"] as $key => $error) { 
      if ($error == UPLOAD_ERR_OK) { 
         $tmp_name = $_FILES["AFile"]["tmp_name"][$key]; 
         $name = md5($MM_Username+time())."*".$_FILES["AFile"]["name"][$key]; 
         move_uploaded_file($tmp_name, $uploaddir. "/" .$name); 
$files  = $name;

NogDog

http://pear.php.net/package/MIME_Type

teamfox20

I dont get that link....can someone show me on my code?

NogDog

It's not a trivial "here's a couple lines of code for you" sort of thing. You could just do a very basic test to see if the file has a ".pdf" suffix*, but a malicious user could upload any type of file and just give it a ".pdf" suffix; so if that is your concern, then such a test is virtually useless. If you install the PEAR package I directed you to, you can then use its methods to determine the MIME type of the file, and verify that it is whatever the appropriate MIME type is for PDF files. This is still not 100% sure to catch all malicious files, but it's a lot better than just looking at the suffix.

But no, I'm not going to spend my time writing the script for you along with instructions on how to install PEAR packages, nor am I going to search the web for you to find out if there are any ready-to-use functions or classes you could use to implement such a check.

trivial test:

if(preg_match('/\.pdf$/i', $_FILES["AFile"]["name"]))
{
   // It has a ".pdf" suffix
}

Bozebo

Yes, you could just check the suffix. But a secure way (or, less insecure way) would be to check the file headers information... PHP cannot do this, so it would require an external library in another language that returns true or false to php, I do not know how to do this.

teamfox20

On the code below, can someone show me how to capture the file names so i can insert them into mysql.

I need to be able to assign file1 and file 2 a value so i can use it on the insert sql statement.

<?
if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
$upload_dir = "upload/"; 
//number of files to upload. 
$num_files = 2; 
//the file size in bytes. 
$size_bytes =2560000; //819200 bytes = 50KB. 
//Extensions you want files uploaded limited to. 
$limitedext = array(".gif",".jpg",".jpeg",".png",".doc",".pdf"); 
//Login name.
$logname = "Danny*";


   //check if the directory exists or not. 
   if (!is_dir("$upload_dir")) { 
      die ("Error: The directory <b>($upload_dir)</b> doesn't exist"); 
   } 
   //check if the directory is writable. 
   if (!is_writeable("$upload_dir")){ 
      die ("Error: The directory <b>($upload_dir)</b> is NOT writable, Please CHMOD (777)"); 
   } 


//if the form has been submitted, then do the upload process 
//infact, if you clicked on (Upload Now!) button. 
if (isset($_POST['upload_form'])){ 

   echo "<h3>Upload results:</h3>"; 

   //do a loop for uploading files based on ($num_files) number of files. 
   for ($i = 1; $i <= $num_files; $i++) { 

       //define variables to hold the values. 
       $new_file = $_FILES['file'.$i]; 
       $file_name = $logname.$new_file['name']; 
       //to remove spaces from file name we have to replace it with "_". 
       $file_name = str_replace(' ', '_', $file_name); 
       $file_tmp = $new_file['tmp_name']; 
       $file_size = $new_file['size']; 

       #-----------------------------------------------------------# 
       # this code will check if the files was selected or not.    # 
       #-----------------------------------------------------------# 

       if (!is_uploaded_file($file_tmp)) { 
          //print error message and file number. 
          echo "File $i: Not selected.<br>"; 
       }else{ 
             #-----------------------------------------------------------# 
             # this code will check file extension                       # 
             #-----------------------------------------------------------# 

             $ext = strrchr($file_name,'.'); 
             if (!in_array(strtolower($ext),$limitedext)) { 
                echo "File $i: ($file_name) Wrong file extension. <br>"; 
             }else{ 
                   #-----------------------------------------------------------# 
                   # this code will check file size is correct                 # 
                   #-----------------------------------------------------------# 

                   if ($file_size > $size_bytes){ 
                       echo "File $i: ($file_name) Faild to upload. File must be <b>". $size_bytes / 1024 ."</b> KB. <br>"; 
                   }else{ 
                         #-----------------------------------------------------------# 
                         # this code check if file is Already EXISTS.                # 
                         #-----------------------------------------------------------# 

                         if(file_exists($upload_dir.$file_name)){ 
                             echo "File $i: ($file_name) already exists.<br>"; 
                         }else{ 
                               #-----------------------------------------------------------# 
                               # this function will upload the files.  :)          # 
                               #-----------------------------------------------------------# 
                               if (move_uploaded_file($file_tmp,$upload_dir.$file_name)) { 
                                   echo "File $i: ($file_name) Uploaded.<br>"; 
                               }else{ 
                                    echo "File $i: Faild to upload.<br>"; 
                               }#end of (move_uploaded_file). 

                         }#end of (file_exists). 

                   }#end of (file_size). 

             }#end of (limitedext). 

       }#end of (!is_uploaded_file). 

   }#end of (for loop). 
}#end if post.
}
	   ?>

<html>
<head>
<title>HTML Form for Multiple File Uploading</title>
</head>
<body>
<form method="post" action="<? $_SERVER[PHP_SELF] ?>" enctype="multipart/form-data">
<? 
$num_files = "2";
for ($i = 1; $i <= $num_files; $i++) { 
echo "File $i: <input type=\"file\" name=\"file". $i ."\"><br>"; 
} 
echo " <input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"$size_bytes\"> 
<input name=\"MM_update\" type=\"hidden\" value=\"form1\">
<input type=\"submit\" name=\"upload_form\" value=\"Upload Now!\"> 
</form>"; 
?>

</body>
</html>

halojoy

teamfox20 wrote:
Can someone show me how to add a restriction to files uploaded to the code below. I only want PDF files to be uploaded.

Those scripts that make a true detection of mimi type is using same technique as Virus software.
They look for some unique characters, code in side a file to see what type it is.
It is a FingerPrint.
These fingerprints are told by definition files, which are updated often.

When it comes to PDF this is the beginning of a typical pdf file
5 first characters only

%PDF-

And here is the line used by a mime type detection script,
in definitions of file types

0	string		%PDF-		application/pdf

0 ....... means start looking at position 0 = the beginning
string ..... means look for a string, not a number
%PDF- ...... is the string to look for, The FingerPrint

application/pdf ...... is the type to return

When we know this,
we can easily try to see what type a file is:

<?php
// PDF check script, by halojoy 2007

$file = 'somefile.pdf';

// string to look for
$pdf_str = '%PDF-';

// open file and read first 5 chars
$fh = fopen($file, 'r');
$file_str = fread($fh, 5);

// compare
if($file_str == $pdf_str)
    echo 'Is PDF, yes';
else
    echo 'Not PDF, no';

?>

How sure can we be this is a PDF?
I guess nothing is 100%.
😉
🙂

Regards, halojoy