[RESOLVED] Upload ony pdf files

phprooky

Hi everyone,
I just found this good code on the internet to upload only the files that are not in the array, but I just want to be able to upload pdf files, so I need help on how to modify this code to be able to just upload .pdf files.
I also want to replace the file if already exists on the server and I want to save the file in a folder named: pdf_files
Can anyone please help me?
This is the Form code:

<form method="POST" enctype="multipart/form-data" action="upl2.php"> 
<input type="file" name="archivo" size="20"> 
<input type="submit" value="Enviar" name="send"> 
<input type="reset" value="Borrar" name="erase"> 
</form>

And this is the code to upload the files:

$extensiones=array("html","exe","php");
$path="C:"; 
$nombre=$HTTP_POST_FILES['archivo']['name']; 
$tamanio=$HTTP_POST_FILES['archivo']['size']; 
$tipo=$HTTP_POST_FILES['archivo']['type']; 
$var = explode(".","$nombre"); 
$num = count($extensiones); 
$valor = $num-1; 
for($i=0; $i<=$valor; $i++) { 
    if($extensiones[$i] == $var[1]) { 
    echo "Tipo de Archivo no admitido"; 
    exit; 
    } 
} 
if (is_uploaded_file($HTTP_POST_FILES['archivo']['tmp_name'])) 
 { 
  copy($HTTP_POST_FILES['archivo']['tmp_name'], "$path/$nombre"); 
  echo "The file has been uploaded <p>"; 
  echo "Name: $nombre <p>"; 
  echo "Size: $tamanio <p>"; 
  echo "Type: $tipo"; 
 } 
else { echo "Error uploading the file"; }

bradgrafelman

Don't use $HTTP_POST_FILES; it has been deprecated in favor of the superglobal $_FILES (man page: [man]reserved.variables.files[/man]).
Remove the for() loop and any other code relating to the array or its indexes, and simply do a string comparison of the file extension (i.e. using [man]stripos/man).
Modify the code such that it's using the last element of the explode()'d file name array or use [man]pathinfo/man. Otherwise, "my_fancy_virus.pdf.exe" would be allowed.
You never check to see if any errors occurred during the file upload before attempting to process it. See this manual page to learn more about how PHP indicates successful vs. failed uploads: [man]features.file-upload.errors[/man].
Consider using [man]basename/man on the "name" index (I can't recall if PHP attempts to sanitize this at all or if it would allow something like "Windows\System32\my_dangerous_file.exe" to slip through).
Consider using [man]move_uploaded_file/man rather than [man]copy/man. Either way, also consider checking to see if the function call returns a value that indicates the operation was successful before outputting message indicating as much.

phprooky

Hi bradgrafelman,
I found this other program on the PHP help. Do you think this one will work much better? But where am I suppose to add the route where I'm going to save the file in the server and how can I tell the program that I only want to upload pdf files?
This the form:

<form action="file-upload.php" method="post" enctype="multipart/form-data">
  Send these files:<br />
  <input name="userfile[]" type="file" /><br />
  <input type="submit" value="Send file" />
</form>

This is the PHP program

function reArrayFiles(&$file_post) {

 $file_ary = array();
 $file_count = count($file_post['name']);
 $file_keys = array_keys($file_post);

 for ($i=0; $i<$file_count; $i++) {
     foreach ($file_keys as $key) {
         $file_ary[$i][$key] = $file_post[$key][$i];
     }
 }

 return $file_ary;
 }

if ($_FILES['upload']) {
     $file_ary = reArrayFiles($_FILES['ufile']);

 foreach ($file_ary as $file) {
     print 'File Name: ' . $file['name'];
     print 'File Type: ' . $file['type'];
     print 'File Size: ' . $file['size'];
 }
 }

bradgrafelman;11040943 wrote:
Don't use $HTTP_POST_FILES; it has been deprecated in favor of the superglobal $_FILES (man page: [man]reserved.variables.files[/man]).

Remove the for() loop and any other code relating to the array or its indexes, and simply do a string comparison of the file extension (i.e. using [man]stripos/man).

Modify the code such that it's using the last element of the explode()'d file name array or use [man]pathinfo/man. Otherwise, "my_fancy_virus.pdf.exe" would be allowed.

You never check to see if any errors occurred during the file upload before attempting to process it. See this manual page to learn more about how PHP indicates successful vs. failed uploads: [man]features.file-upload.errors[/man].

Consider using [man]basename[/b] on the "name" index (I can't recall if PHP attempts to sanitize this at all or if it would allow something like "Windows\System32\my_dangerous_file.exe" to slip through).

Consider using [man]move_uploaded_file/man rather than [man]copy/man. Either way, also consider checking to see if the function call returns a value that indicates the operation was successful before outputting message indicating as much.

bradgrafelman

phprooky;11040947 wrote:
But where am I suppose to add the route where I'm going to save the file in the server and how can I tell the program that I only want to upload pdf files?

The "where" would be "in the appropriate section of the code", and the "how" would be "writing the appropriate code."

If you're here to expand your programming knowledge, then show us what you tried and we'll try to help you understand where you went wrong and what you should have done instead.

If you're here to look for a free hand-out and get someone else to do the work for you... well, I'll simply move along and let others waste their time if they so desire.

phprooky

I just wanted some help with both. Someone who can help me create the code and explain me at the same time how that works.

bradgrafelman;11040949 wrote:
The "where" would be "in the appropriate section of the code", and the "how" would be "writing the appropriate code."

If you're here to expand your programming knowledge, then show us what you tried and we'll try to help you understand where you went wrong and what you should have done instead.

If you're here to look for a free hand-out and get someone else to do the work for you... well, I'll simply move along and let others waste their time if they so desire.

DeadlySin3

phprooky;11040951 wrote:
I just wanted some help with both. Someone who can help me create the code and explain me at the same time how that works.

http://deadlysinx.net/FREE/UPLOAD/

That's a link to an IMAGE upload script I wrote years ago. The process is essentially the same - just some minor code tweaks that would need to be handled. It's really just a base skeleton to get a person started along the right path. Play with the code, uncomment the print_r($_FILES); line and see what it does. Then - and you'll hear this a lot - read an article or even the manual on uploading files. Scope out a tutorial or two. Before you implement the code in a live project keep in mind that you're dealing with user input and EVERYTHING should be error checked to maintain the integrity of your site. Good luck and have fun!

phprooky

Hi DeadlySin3 and thanks for your reply,
This Forum used to be a very friendly place to learn, but it seems like is not anymore. I have learned many coding in PHP in this place and I already had a code to upload pdf files, but it looks to be not too safe to use it in a webpage, but I don't know. What do you think about this code that I have.

 $targetfolder = "pdf_files/";

 $targetfolder = $targetfolder . basename( $_FILES['file']['name']) ;

 $ok=1;

$file_type=$_FILES['file']['type'];

if ($file_type=="application/pdf") {

 if(move_uploaded_file($_FILES['file']['tmp_name'], $targetfolder))

 {

 echo "The file ". basename( $_FILES['file']['name']). " is uploaded";

 }

 else {

 echo "Problem uploading file";

 }

}

else {

 echo "You may only upload PDFs files.<br>";

}

DeadlySin3;11040977 wrote:
http://deadlysinx.net/FREE/UPLOAD/

That's a link to an IMAGE upload script I wrote years ago. The process is essentially the same - just some minor code tweaks that would need to be handled. It's really just a base skeleton to get a person started along the right path. Play with the code, uncomment the print_r($_FILES); line and see what it does. Then - and you'll hear this a lot - read an article or even the manual on uploading files. Scope out a tutorial or two. Before you implement the code in a live project keep in mind that you're dealing with user input and EVERYTHING should be error checked to maintain the integrity of your site. Good luck and have fun!

DeadlySin3

phprooky;11040991 wrote:
Hi DeadlySin3 and thanks for your reply,
This Forum used to be a very friendly place to learn, but it seems like is not anymore. I have learned many coding in PHP in this place and I already had a code to upload pdf files, but it looks to be not too safe to use it in a webpage, but I don't know. What do you think about this code that I have.
 $targetfolder = "pdf_files/";

 $targetfolder = $targetfolder . basename( $_FILES['file']['name']) ;

 $ok=1;

$file_type=$_FILES['file']['type'];

if ($file_type=="application/pdf") {

 if(move_uploaded_file($_FILES['file']['tmp_name'], $targetfolder))

 {

 echo "The file ". basename( $_FILES['file']['name']). " is uploaded";

 }

 else {

 echo "Problem uploading file";

 }

}

else {

 echo "You may only upload PDFs files.<br>";

}

Well what I see looks clean but that bit doesn't show how you're processing the actual upload - as long as you're comfortable using it that's all that matters!

phprooky

I just thought that this program was to easy for hackers to brake and I wanted something more complicated like the one you sent me.

This is my form:

<b>Program to upload only (pdf) Files </b><br />

Choose a file to be uploaded<br />

<form action="upload_file.php" method="post" enctype="multipart/form-data">

<input type="file" name="file" size="50" />
<input type="submit" value="Upload" />

</form>

This is the PHP code:

$targetfolder = "download/";

 $targetfolder = $targetfolder . basename( $_FILES['file']['name']) ;

 $ok=1;

$file_type=$_FILES['file']['type'];

if ($file_type=="application/pdf") {

 if(move_uploaded_file($_FILES['file']['tmp_name'], $targetfolder))

 {

 echo "The file ". basename( $_FILES['file']['name']). " is uploaded";

 }

 else {

 echo "Problem uploading file";

 }

}

else {

 echo "You may only upload PDFs files.<br>";

}

DeadlySin3;11041001 wrote:
Well what I see looks clean but that bit doesn't show how you're processing the actual upload - as long as you're comfortable using it that's all that matters!

Weedpacket

You can use [man]finfo_file[/man] to get information about the type of a file (e.g. "application/pdf"). Basically it would check that the first line is [font=monospace]%PDF-1.n[/font], where [font=monospace]n[/font] varies depending on which version of PDF the document is using.

Another check that can be made is that the last line of a properly-formatted PDF file is [font=monospace]%%EOF[/font], and the line before that gives the number of bytes in the body of the document (so it should be a little less than the size of the entire file). Checking those would be a matter of reading the file line-by-line, keeping the last two lines, and checking those two lines' contents.

phprooky

Hi and thanks again for replying,
I started playing with the one you made to see If I can make it work the way I want to, but the PHP file named vars.php where you define the variables you have the following:

$maxImageSize = "512000";

to set the highest size of the image to be uploaded, then what command do I need for a pdf file? Do I have to use

$maxApplicationSize

or there's an specific one for a .pdf file?

Also, why do you have these 2 roots in the same program:

$file_dir = "/home/paul/public_html/FREE/upload/images";
$file_url = "http://localhost/~paul/FREE/upload/images";

And if I want to tell the program the type of file accepted the way you are doing it with the image here

$acceptedImageType[] = "x-bmp";

Is there also an specific one for .pdf files?

Weedpacket;11041011 wrote:
You can use [man]finfo_file[/man] to get information about the type of a file (e.g. "application/pdf"). Basically it would check that the first line is [font=monospace]%PDF-1.n[/font], where [font=monospace]n[/font] varies depending on which version of PDF the document is using.

Another check that can be made is that the last line of a properly-formatted PDF file is [font=monospace]%%EOF[/font], and the line before that gives the number of bytes in the body of the document (so it should be a little less than the size of the entire file). Checking those would be a matter of reading the file line-by-line, keeping the last two lines, and checking those two lines' contents.