PHP’s upload checks are the last line of defense against malicious content
There are a few more checks that we need to accomplish to solidify our form submission. You can never be too careful especially when allowing others to upload files to your server. I recommend using a tried and tested PHP package, but we’re learning how stuff works here so we’ll do a few more tests ourselves.
https://blog.devgenius.io/php-p79-file-size-checks-e419bc6483bf
Recap
We have a basic HTML form and a simple process script.
<form action="./upload.php" method="post" enctype="multipart/form-data">
<div>
Select Image to upload:
</div>
<div>
<input type="file" name="file_name" id="file_name">
</div>
<div>
<input type="submit" name="submit" value="Upload">
</div>
</form>
<?php
$file_name = $_FILES["file_name"]["name"];
$target_file = "uploads/" . $file_name;
$temp_file = $_FILES["file_name"]["tmp_name"];
// Check file type
$allowed = ['jpg', 'png'];
$extension = pathinfo($file_name, PATHINFO_EXTENSION);
if ( ! in_array($extension, $allowed) )
{
die("The format is not correct. You may only upload: " . implode(", ", $allowed));
}
// Check max file size
$max_size_mb = 0.5;
$max_size_bytes = $max_size_mb * 1024 * 1024;
if ( $_FILES["file_name"]["size"] > $max_size_bytes )
{
die("The file size is too large. You may only upload up to: " . $max_size_mb . "MB");
}
// All checks passed. Move file to permanent location
move_uploaded_file($temp_file, $target_file);
echo "Your image was successfully uploaded.";
In our file upload script above, the first check that occurs is the file extension check. After it passes, the next check is the file size check. If that passes too, the file is moved from its temporary location to its final location.
Checking the File Name
Imagine that a potential hacker looks at your website and tries to upload an image with the same name as another image on your site. If you’re not checking whether that filename already exists, they could theoretically replace all of your images with whatever they like.
It doesn’t even need to be that nefarious. It could be purely accidental. We still don’t want our images replaced.
$file_name = $_FILES["file_name"]["name"];
$target_file = "uploads/" . $file_name;
if ( file_exists($target_file) )
{
die("The file already exists");
We do this check with the file_exists
function. If the file exists with that specific file name, we need to prevent the application from executing. This is probably something that we would check first. No point in doing other checks if the file is going to be overwritten.
Checking whether the Image is an Image
One last thing to note is that users could submit a file with a specific image extension but not be an image. There is a function that checks for the image file size. If it’s not an image, it will return false
.
$temp_file = $_FILES["file_name"]["tmp_name"];
if ( getimagesize($temp_file) === false )
{
die("You must upload an image");
}
If the getimagesize
function returns anything other than false
, it’s an image.
And you can see how this file has grown. It’s usually overwhelming to see it all up front like that, especially if you’re just starting out, but understanding that these are all checks makes it easier to understand. We’ll convert this to Object Oriented PHP in the next article.
If you feel like you’re missing a few steps, start from the beginning: Article 77.
https://blog.devgenius.io/php-p77-basics-of-file-uploading-ba377da3d072
SIZE VALIDATION IN PHP ENSURES THAT UPLOADED FILES MEET YOUR REQUIREMENTS
We’ve uploaded a file and restricted users from uploading all file types, but there are still a few more things that we’ll need to check like file size.
PHP’s upload checks are the last line of defense against malicious content
PHP – P80: final upload checks
You can never be too careful especially when allowing others to upload files to your server. I recommend using a tried and tested PHP package, but we’re learning how stuff works here so we’ll do a few more tests ourselves.
TRANSFORMING A SCRIPT INTO A CLASS ENHANCES CODE MODULARITY AND REUSABILITY
“Couldn’t they just have created this as a class instead of this script,” I found myself asking frequently. It’s really not that far of a stretch to do this yourself, and you will do it frequently.