File type validation in PHP safeguards against malicious uploads
We looked at file uploading in the previous article and used the minimum amount of steps to accomplish it. This time around, let’s see some other functionality that may be present in the process upload script. If you haven’t done so, read my article on the basics of file uploading.
https://blog.devgenius.io/php-p77-basics-of-file-uploading-ba377da3d072
Recap
We have a basic HTML form and a simple process script.
<form action="./upload.php" method="post" enctype="multipart/form-data">
<div>
Select file to upload:
</div>
<div>
<input type="file" name="file_name" id="file_name">
</div>
<div>
<input type="submit" name="submit" value="Upload">
</div>
</form>
<?php
$target_file = "uploads/" . $_FILES["file_name"]["name"];
$temp_file = $_FILES["file_name"]["tmp_name"];
move_uploaded_file($temp_file, $target_file);
Checking File Types
Never trust the user. Even though you specified that the user should upload an image, will they follow your instructions? Majority of the users will but there are some that wont for various reasons. Sometimes it’s just based on their own inexperience. An image within a word document is an image right? Sometimes it’s more nefarious. A hacker may want to upload a script that they can trigger. If you’re not limiting what users can upload, they can upload anything.
So let’s check for images in our upload script.
What does the code do?
- Grabs the file name.
- Creates the location to where the file will end up with the
target_file
. - Grabs the temporary storage location and stores it in the
temp_file
variable. We’ll need this later to move our file from the temporary location to the new location. - Setup an array of allowed extensions. There are numerous ways to do this but we’re going to take the
in_array
approach. - Grab the file extension. If the user uploads a
.jpg
, the file extension is ajpg
. - If the file extension is not in the array, the application dies.
- If the file extension is in the array, the file gets moved from its temporary location to its permanent location.
- A success message is displayed.
In the next article, we’ll cover checking if the file already exists and seeing if the file size is appropriate.
UPLOADING FILES EMPOWERS WEB USERS TO CONTRIBUTE CONTENT EFFORTLESSLY
PHP – P77: BASICS OF FILE UPLOADING
One of the most misunderstood topics in PHP for beginners. How does someone upload a file? What happens when you click upload? Where does it go? Let’s demystify this process and tackle files in PHP. It’s simpler than you think.
File type validation in PHP safeguards against malicious uploads
Never trust the user. Even though you specified that the user should upload an image, will they follow your instructions? Majority of the users will but there are some that wont for various reasons.
SIZE VALIDATION IN PHP ENSURES THAT UPLOADED FILES MEET YOUR REQUIREMENTS
We’ve uploaded a file and restricted users from uploading all file types, but there are still a few more things that we’ll need to check like file size.