Final Upload Checks

PHP’s upload checks are the last line of defense against malicious content

There are a few more checks that we need to accomplish to solidify our form submission. You can never be too careful especially when allowing others to upload files to your server. I recommend using a tried and tested PHP package, but we’re learning how stuff works here so we’ll do a few more tests ourselves.

https://blog.devgenius.io/php-p79-file-size-checks-e419bc6483bf

Recap

We have a basic HTML form and a simple process script.

<form action="./upload.php" method="post" enctype="multipart/form-data">
  <div>
    Select Image to upload:
  </div>

  <div>
    <input type="file" name="file_name" id="file_name">
  </div>

  <div>
    <input type="submit" name="submit" value="Upload">
  </div>
</form>
<?php

$file_name   = $_FILES["file_name"]["name"];
$target_file = "uploads/" . $file_name;
$temp_file   = $_FILES["file_name"]["tmp_name"];

// Check file type
$allowed   = ['jpg', 'png'];
$extension = pathinfo($file_name, PATHINFO_EXTENSION);

if ( ! in_array($extension, $allowed) )
{
    die("The format is not correct. You may only upload: " . implode(", ", $allowed));
}

// Check max file size
$max_size_mb = 0.5;
$max_size_bytes = $max_size_mb * 1024 * 1024;

if ( $_FILES["file_name"]["size"] > $max_size_bytes )
{
    die("The file size is too large. You may only upload up to: " . $max_size_mb . "MB");
}

// All checks passed. Move file to permanent location
move_uploaded_file($temp_file, $target_file);

echo "Your image was successfully uploaded.";

In our file upload script above, the first check that occurs is the file extension check. After it passes, the next check is the file size check. If that passes too, the file is moved from its temporary location to its final location.

Checking the File Name

Imagine that a potential hacker looks at your website and tries to upload an image with the same name as another image on your site. If you’re not checking whether that filename already exists, they could theoretically replace all of your images with whatever they like.

It doesn’t even need to be that nefarious. It could be purely accidental. We still don’t want our images replaced.

$file_name   = $_FILES["file_name"]["name"];
$target_file = "uploads/" . $file_name;

if ( file_exists($target_file) )
{
    die("The file already exists");

We do this check with the file_exists function. If the file exists with that specific file name, we need to prevent the application from executing. This is probably something that we would check first. No point in doing other checks if the file is going to be overwritten.

Checking whether the Image is an Image

One last thing to note is that users could submit a file with a specific image extension but not be an image. There is a function that checks for the image file size. If it’s not an image, it will return false.

$temp_file   = $_FILES["file_name"]["tmp_name"];
if ( getimagesize($temp_file) === false )
{
    die("You must upload an image");
}

If the getimagesize function returns anything other than false, it’s an image.

And you can see how this file has grown. It’s usually overwhelming to see it all up front like that, especially if you’re just starting out, but understanding that these are all checks makes it easier to understand. We’ll convert this to Object Oriented PHP in the next article.

If you feel like you’re missing a few steps, start from the beginning: Article 77.

https://blog.devgenius.io/php-p77-basics-of-file-uploading-ba377da3d072

https://github.com/dinocajic/php-youtube-tutorials

Check File Size

SIZE VALIDATION IN PHP ENSURES THAT UPLOADED FILES MEET YOUR REQUIREMENTS

PHP – P79: CHECK FILE SIZE

We’ve uploaded a file and restricted users from uploading all file types, but there are still a few more things that we’ll need to check like file size.

Final Upload Checks

PHP’s upload checks are the last line of defense against malicious content

PHP – P80: final upload checks

You can never be too careful especially when allowing others to upload files to your server. I recommend using a tried and tested PHP package, but we’re learning how stuff works here so we’ll do a few more tests ourselves.

Script to Class

TRANSFORMING A SCRIPT INTO A CLASS ENHANCES CODE MODULARITY AND REUSABILITY

PHP – P81: SCRIPT TO CLASS

“Couldn’t they just have created this as a class instead of this script,” I found myself asking frequently. It’s really not that far of a stretch to do this yourself, and you will do it frequently.

Leave a Reply