PDA

Click to See Complete Forum and Search --> : Limit upload file types (I've searched)

jeking
07-05-2007, 02:51 PM
I've spent the last few hours trying to figure this out. I've got a working upload script. I just need to add a step to allow only graphic files. I've read the best way is using getimagesize and I've tried many of the suggestions from many posts and other sites but I just can't get it to work.

I'm looking for it to check for gif, jpg, psd, tif, etc. If yes, keep on going. If no, spit out a short error message to the user.

Can someone help me out?
TJ111
07-05-2007, 03:12 PM
Try something like this:

if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/pjpeg")
&& ($_FILES["file"]["size"] < 20000))


OR use javascript indexOf() method.
jeking
07-05-2007, 03:34 PM
The problem could very likely be my coding skills (or lack of them). What's the proper way to use that so it will echo an error message or just keep processing the script?

edit: Hang on, I think I got it figured out.
TJ111
07-05-2007, 03:38 PM
if (!$_FILES['userfile']['error'] > 0))
{
//file Upload & Verification
}


else
{
echo $_FILES['userfile']['error'];
}
jeking
07-05-2007, 03:45 PM
Well, now it disallows all files. Here is the script. I'm sure it's something stupid, maybe you can pick it out quickly.


<?php

// Your file name you are uploading
$file_name = $HTTP_POST_FILES['ufile']['name'];

//Order number
$order_id=$_POST['orderid'];

//Check for allowed file types and size
if (($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/pjpeg") && ($_FILES["file"]["size"] < 500000)) {

//combine order number to you file name to create new file name
//use dot (.) to combile these two variables

$new_file_name=$order_id.'-'.$file_name;

//set where you want to store files
//in this example we keep file in folder upload
//$new_file_name = new upload file name
//for example upload file name cartoon.gif . $path will be upload/cartoon.gif
$path= "upload/".$new_file_name;
if($ufile !=none)
{
if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))
{
echo "Successful<BR/>";

//$new_file_name = new file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file
echo "File Name :".$new_file_name."<BR/>";
echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>";
echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>";

//send email to nofity of file upload
$to = "sales@customcreationsunlimited.com";
$subject = "File upload";
$body = "File uploaded: ".$new_file_name;
if (mail($to, $subject, $body)) {
echo("<p>Message successfully sent!</p>");
} else {
echo("<p>Message delivery failed...</p>");
}
}
else
{
echo "Error";
}
}
}
else { echo("<p>Invalid file type...</p>");}
?>
TJ111
07-05-2007, 04:04 PM
First of all you can use the $_FILES global instead of $HTTP_POST_FILES.

The problem is your naming. You have to change the indexes to match your specific information. Try changing the following:


$file_name = $_FILES['ufile']['name'];


if (($_FILES["ufile"]["type"] == "image/gif") || ($_FILES["ufile"]["type"] == "image/pjpeg") && ($_FILES["ufile"]["size"] < 500000)) {


Then do a replace on all $HTTP_POST_FILES with $_FILES. Or i suppose you could leave $HTTP_POST_FILES and change $_FILES it in the "if" statement.
jeking
07-05-2007, 04:14 PM
To keep it simple, I replaced $_FILES with $HTTP_POST_FILES but I'm still getting all files disallowed. I checked the code for missing/extra { or } and didn't find any.

You can see the script at http://ccui.net/upload_rename.php
TJ111
07-05-2007, 04:28 PM
You can't view PHP script on a page in the source (unless you use the show_source() function).

Add this to the top of your script:

error_reporting(E_ALL);


Did you change the indexes in the "if" statement from ['file'] to ['ufile']?

To make it easier when trying to find errors I'd recommend you do something like this:


$fileName = $HTTP_POST_FILES['ufile']['name'];
$tmpName = $HTTP_POST_FILES['ufile']['tmp_name'];
$fileSize = $HTTP_POST_FILES['ufile']['size'];
$fileType = $HTTP_POST_FILES['ufile']['type'];



if (($fileType == "image/gif") || ($fileType == "image/pjpeg") && ($fileSize < 500000))
bluestars
07-05-2007, 04:29 PM
http://us2.php.net/features.file-upload

That says you need to set the max_file_size form element first. I don't know if that's the problem, but it's worth a try.
jeking
07-05-2007, 04:39 PM
I forgot you couldn't see the php source, or course not. I didn't catch the change from ['file'] to ['ufile'], now it's working. I had to add image/jpg to the list as it wouldn't upload a jpg I had. After the change it does.

This is actually testing the file type, not the file extension, correct? So even if I renamed a .jpg to .txt, if would still upload?

If I add image/tif do I need to add image/tiff too? Is there a list of proper extensions to use if I add more allowable file types later?
TJ111
07-05-2007, 04:42 PM
If you check his page he doesn't use a max_file_size element. Technically you should use it, but I don't think it would prevent files from uploading.
TJ111
07-05-2007, 04:47 PM
A list of mime-types can be found HERE (http://www.phpfreaks.com/mimetypes.php).

IE tests the actual file contents, while FF and opera just use the extension. There are workarounds for this if you search around I believe. I do all my uploads to a database so I'm not sure how it works for server-based uploads.
jeking
07-05-2007, 04:57 PM
I'm confused about something. In the list you reference, it has image/jpeg jpeg jpg jpe but the code I'm using is image/pjpeg.

And can I use image/tiff tiff tif in the code as is or do I have to list each one seperately.
TJ111
07-05-2007, 05:14 PM
To be honest I have no idea about the different kind of mime types. However if you want to determine the mimetype yourself, instead of relying on the files extension, read this http://us2.php.net/manual/en/ref.fileinfo.php.
felgall
07-05-2007, 05:31 PM
Was the intention to allow unimited files size for GIF and limited file size for Jpeg? If not then you need to surround all the file type tests in () as the && takes precedence over all the || if you don't.
jeking
07-05-2007, 05:36 PM
TJ111
Thanks, I will look at that for future reference.

felgall,
The file size should apply to all, thanks for noticing.
jeking
07-09-2007, 11:00 AM
I can't seem to get psd files to upload. My script reports invalid file type.

I'm using:

if ((($HTTP_POST_FILES ["ufile"]["type"] == "image/gif") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/tif") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/tiff") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/jpeg") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/jpg") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/pjpeg") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/eps") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/bmp") || ($HTTP_POST_FILES ["ufile"]["type"] == "image/x-photoshop")) && ($HTTP_POST_FILES ["ufile"]["size"] < 120000)) {

but have tried
image/photoshop
image/x-photoshop
image/psd
application/photoshop
application/psd
zz-application/zz-winassoc-psd
jeking
07-09-2007, 10:19 PM
Bump.

Any ideas?
temp.user123
07-09-2007, 11:01 PM
Instead of "trying" types, "try" echoing it to find out exactly what MIME type is being sent:

echo 'MIME type = "' . $HTTP_POST_FILES ["ufile"]["type"] . '"<br>' . "\n";
jeking
07-10-2007, 07:58 AM
That did it. It came up as 'application/octet-stream'. I never would have guessed that one.

I appreciate the help!