0

i have a php file that is called from a javascript with the purpose of uploading files to my server.

Clarification that what im doing is calling this php file with ajax, so as i understand it it's not run in the traditional sence, which is why i am not using $_FILE and $_POST as the whole point of this project is to handle fileupload / collection of user data is done without a page reload.

obviously we want some sort of serverside file validation, which i have set up in an if statement.

however the code succeeds and proceeds with the upload no matter what file type i select.

can someone tell me what is wrong / or guide me in the right direction ?

<?php
session_start();

$name = $_SESSION['name'];
$email = $_SESSION['email'];
$phone = $_SESSION['phone'];

$date = date('Y-m-d');

$mypath = $name . '-' . $phone . '-' . $date;

$ext = $_SERVER['HTTP_X_FILE_TYPE'];
$allow = array('psd', 'ai', 'eps', 'svg', 'jpg', 'png', 'docx', 'doc', 'pptx', 'ppt');

if(!in_array($ext,$allow)){
    if(!file_exists($mypath)) {
    mkdir($mypath,0777,TRUE);
    }
    $str = file_get_contents('php://input');

    $title = $_SERVER['HTTP_X_FILE_NAME'];

    $path = "$mypath/".$title;
    file_put_contents($path,$str);
}else{
    return false;
}
?>

much apreciated - Mr B

Improve this question
10
  • Possible duplicate of How can I only allow certain filetypes on upload in php? Commented Mar 9, 2018 at 12:58
  • How do you set $_SERVER['HTTP_X_FILE_TYPE'] ? Commented Mar 9, 2018 at 12:58
  • 3
    Shouldn't it be if(in_array($ext,$allow)){ instead of if(!in_array($ext,$allow)){ ? Commented Mar 9, 2018 at 12:59
  • @Cemal Your duplicate does not add any information that the author did not already consider Commented Mar 9, 2018 at 13:00
  • 1
    if it is functional and working properly as it is intended, what is your question? Commented Mar 9, 2018 at 15:10

1 Answer 1

Reset to default
2

The problem with the code is (Like @Cashbee mentioned in the comments), is with if(!in_array($ext,$allow)) portion of the code. This part allows the file to be uploaded if the file extension is not in $allow array. The correct code should be as below.

<?php
session_start();

$name = $_SESSION['name'];
$email = $_SESSION['email'];
$phone = $_SESSION['phone'];

$date = date('Y-m-d');

$mypath = $name . '-' . $phone . '-' . $date;

$ext = $_SERVER['HTTP_X_FILE_TYPE'];
$allow = array('psd', 'ai', 'eps', 'svg', 'jpg', 'png', 'docx', 'doc', 'pptx', 'ppt');

if(in_array($ext,$allow)){
    if(!file_exists($mypath)) {
    mkdir($mypath,0777,TRUE);
    }
    $str = file_get_contents('php://input');

    $title = $_SERVER['HTTP_X_FILE_NAME'];

    $path = "$mypath/".$title;
    file_put_contents($path,$str);
}else{
    exit;
}
?>

Important Note : Please keep in mind that, trusting an extension based on a header set by a javascript command from browser has a high risk and shouldn't be trusted. If this is required, you must store those files in a folder either inaccessible/restricted from the web and serve them raw with the correct mime header upon request or check more than file extension on upload.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

wont be able to test this before the weekend, but i still have some questions when you say header, are you refering to the HTTP_X_FILE_TYPE ?, and what else would you recomend is used for verification on upload ?
yes I'm referring to HTTP_X_FILE_TYPE as point of problems. In an ideal world this may be right, but in real world, it's highly insecure. I can suggest you to either verify the files that they are indeed the type of files that the extension says. (You can check most image files by opening them with Imagick. If they can be parsed by imagick, you can save them on your server, if not simply delete them.) or you can store them in a folder where it's not accesible by web server
i have tried the code now, without success, i get no error code so obviously the syntax is correct, however no file arrives on the server
Have you checked and verified that you have write permissions on the folder that you are uploading?
without if statement, the files upload straight away without issue @Cemal
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.