PHP file upload allowing only specified extensions

I am not sure what i am doing wrong here. My if statements arent working, its like it doesnt recognise any file type at all.....

$file_name = validateInput($_FILES['file']['name']);
$temp_name = validateInput($_FILES['file']['tmp_name']);
$file_type = $_FILES['file']['type'];

//get file extension
$base = basename($file_name);
$extension = substr($base, strlen($base)-4, strlen($base));

    //allowed file types
    $allowed_extensions = array(".doc", "docx", ".pdf", ".png");

//check if attachment exist

if(!empty($_FILES['file']['name'])){

    function validateInput($data) {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;   
    }

    $file_name = validateInput($_FILES['file']['name']);
    $temp_name = validateInput($_FILES['file']['tmp_name']);
    $file_type = $_FILES['file']['type'];

    //get file extension
    $base = basename($file_name);
    $extension = substr($base, strlen($base)-4, strlen($base));

    //allowed file types
    $allowed_extensions = array(".doc", "docx", ".pdf", ".png");

    //check if uploaded file is allowed
    if(in_array($extension, $allowed_extensions)){

        //email essentials
        //$from = $email_address;
        $to = 'info@something.com';
        $subject = 'Applicant Application - '.$query;
        $message = $html_email;

        //handling the file
        $file = $temp_name;
        $content = chunk_split(base64_encode(file_get_contents($file)));
        $uid = md5(uniqid(time()));

        //standard mail headers
        $headers = "From: ".$forenames." ".$surname."\r\n";
        //$headers = "Reply-To: $to \r\n";
        $headers .= "MIME-Version: 1.0\r\n";

        //declaring that we have muliple kinds of email(i.e content and attachment)
        $headers .= "Content-Type: multipart/mixed; boundary=\"".$uid."\"\r\n\r\n";
        $headers .= "This is a multi-part message in MIME format.\r\n";

        //plain text or html part
        $headers .= "--".$uid."\r\n";
        $headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
        $headers .= "Content-Transfer-Encoding: 7bit\r\n\r\n";
        $headers .= $message."\r\n\r\n";

        //attachment part
        $headers .= "--".$uid."\r\n";
        $headers .= "Content-type: ".$file_type."; name=\"".$file_name."\"\r\n";
        $headers .= "Content-Transfer-Encoding: base64\r\n";
        $headers .= "Content-Disposition: attachment; filename=\"".$file_name."\"\r\n\r\n";
        $headers .= $content."\r\n\r\n";

        //send the mail(without message, as msg is already in header)
        if(mail($to, $subject, "", $headers)){
            $success = true;
        } else {
                    echo "<script>
                    alert('Failed to send the message. File type not allowed');
                    </script>";
        }


    } else {
        echo "<script>
        alert('Failed to send the message. File type not allowed');
        </script>";
    }

}//attachment check

I would also like to know the best way of limiting file size.

Thanks,

Wale

Answers


The way you are getting the file extension is not good at all. You are subtracting the last 4 character from file name but what about .docx? Do you think it will return as others? You should use pathinfo to get file extension.

$extension = pathinfo($filename, PATHINFO_EXTENSION);// will return doc/docx ect. without the leading dot(.).

So change your code like this(hope this should work):

if(isset($_FILES['file']) && $_FILES['file']['size'] > 0){

    function validateInput($data) {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;   
    }

    $file_name = validateInput($_FILES['file']['name']);
    $temp_name = validateInput($_FILES['file']['tmp_name']);
    $file_type = $_FILES['file']['type'];

    //get file extension
    $extension = pathinfo($file_name, PATHINFO_EXTENSION);

    //allowed file types
    $allowed_extensions = array("doc", "docx", "pdf", "png");

    //check if uploaded file is allowed
    if(in_array($extension, $allowed_extensions)){

        ....

    } else {
        echo "<script>
        alert('file format not allowed');
        </script>";
    }

} else {
   echo "<script>
   alert('no file selected');
   </script>";
}

you can slipt the filename into array and check the last value of array with end($arr) and compare with extension array using in_array. Hope this might help you.


Need Your Help

Trouble with Apache, mod_wsgi, and Django configuration

django apache2 mod-wsgi bitnami

Just set up a 64 bit ubuntu EC2 instance using the Bitnami DjangoStack image.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.