File upload Type

devphp12

m upload file.
but i want to make restriction on upload file type

want only doc /text file

m using

<?php $allowed=array('application/msword','text/plain');?>

n chek uploaded filetye by in_array($type,$allowed);
but it not working.

g0dzuki

You could do a string search on the filename being uploaded:

if ((strstr($filename, '.doc')) || (strstr($filename, '.txt'))) {
//uploadable
} else {
exit('Invalid File Type');
}

knowj

checking for the extension isn't a very secure way of doing this because you can rename any file to any extension.

You need to check for the mime type. use print_r($_FILES) and check against the mime types your using.

http://www.w3schools.com/media/media_mimeref.asp

bradgrafelman

On the contrary, checking for the extension is the only reliable way and relying on the MIME-type provided in the $_FILES array is very insecure (it can be faked by the user).

If the file has a .doc or .txt extension, but it was instead a malicious file, at least you can rest assured that it won't be executed properly (e.g. a .exe file).

I would caution you not to do a simply string check as g0dzuki suggested, as this can allow malicious files (e.g. a filename of evil_virus.txt.exe would be allowed) but instead use a function such as [man]pathinfo/man to get the extension. Alternatively, you could use some regexp:

if(preg_match('/\.(txt|doc)$/i', $filename)) {
    // extension is allowed
} else {
    // bad extension
}