Saved from hackers variables in php script

**Schmoopy** · 02-16-2010, 03:36 PM

You want to be looking at the actual type of the file, as opposed to its name. You can access this with $_FILES['uploaded_file']['type'], or in your case:

PHP Code:


foreach($_FILES as $file) {
  if($file['type'] == 'image/jpeg')
    echo 'allow';
  else
    echo 'no';
}

That shows you the basic concept, but just make an array like before, but this time with different MIME types, a list of which can be found here: http://www.webmaster-toolkit.com/mime-types.shtml

So something like:

PHP Code:


$allowed = array("image/png", "image/jpeg");

Etcetera...

You should be able to go from there with it. See how you get on.

**auriaks** · 02-16-2010, 04:01 PM

Thanks... Good post from you

Btw, can you solve my other need?

I want prevent files' size. if ($size > 0.3mb) {not allow} else {allow}

**Schmoopy** · 02-16-2010, 04:06 PM

This should do it. Also note that the max file size is also declared in the php.ini file, and is normally 2MB, so you'll need to edit that file as well if you want to upload files greater than 2MB.

PHP Code:




define("MAX_FILE_SIZE", 314573); // This is the file size in bytes



foreach($_FILES as $file) {

  if($file['size'] > MAX_FILE_SIZE) {

    echo "The file you're trying to upload is too big";

  } else {

    // Code for uploading file here

  }

}

314573 Bytes = ~0.3MB.

An easy way to convert MB to bytes is to use: http://www.matisse.net/bitcalc/.

Or if you don't like that one, just search for "bits to bytes converter" in Google.

**auriaks** · 02-16-2010, 04:11 PM

php.ini ? why should I do that?

**Schmoopy** · 02-16-2010, 04:12 PM

You only need to change that if you're wanting to upload files greater than 2MB. But from the looks of it, you only want files that are 0.3MB or less, so no need to worry.

**auriaks** · 02-16-2010, 04:19 PM

OK then... thanks

Brilliant

**auriaks** · 02-16-2010, 06:57 PM

Have problem again, I am upoading right format, but script says that wrong...

PHP Code:


define("MAX_FILE_SIZE", 307200); // This is the file size in bytes

foreach($_FILES as $file) {

  if($file['size'] > MAX_FILE_SIZE) {

    $error .= "<li>Nuotraukos dydis viršija 0.3mb!</li>";

  } else {

foreach($_FILES as $file) {

$allowed = array('image/png', 'image/jpeg', 'image/bmp', 'image/gif', 'image/pjpeg');  

  if($file['type'] == $allowed) {

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);  

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {$fileName = basename($_FILES['uploadedfile']['name']);}  } else 

{$tt = $file['type'];

$error .= "<li>Nuotrauka yra neleistino $tt formato. Leistini: .png .jpg .gif .bmp</li>";}}  

}}

**Schmoopy** · 02-16-2010, 07:27 PM

Atm you're doing:

PHP Code:


if($file['type'] == $allowed)

So you're actually comparing it to the $allowed array as a whole, and not checking whether the file type is actually one of the values in the allowed array. Change your code to:

PHP Code:


define("MAX_FILE_SIZE", 307200); // This is the file size in bytes

$allowed = array('image/png', 'image/jpeg', 'image/bmp', 'image/gif', 'image/pjpeg');  

foreach($_FILES as $file) {
        if($file['size'] > MAX_FILE_SIZE) {
            $error .= "<li>Nuotraukos dydis viršija 0.3mb!</li>";
        } else {
        if(in_array($file['type'], $allowed)) {
            $target_path = $target_path . basename( $_FILES['uploadedfile']['name']);  
            if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            
                $fileName = basename($_FILES['uploadedfile']['name']);}  
                
            } else {
                $tt = $file['type'];
                $error .= "<li>Nuotrauka yra neleistino $tt formato. Leistini: .png .jpg .gif .bmp</li>";
            }
    }
}