How to restrict file upload using PHP?

Question

I am trying to do a restricted file upload using PHP.

I have used

if (($_FILES["file"]["type"] == "application/dbase")
||($_FILES["file"]["type"] == "application/dbf")
||($_FILES["file"]["type"] == "application/x-dbase")
||($_FILES["file"]["type"] == "application/x-dbf")
||($_FILES["file"]["type"] == "zz-application/zz-winassoc-dbf"))

For me .dbf (i.e Microsoft Visual FoxPro Table type) files are not working. Please suggest to me what I should put for the content type for .dbf .

Here are similar, unanswered question by me. stackoverflow.com/questions/6845866/… — daGrevis
– daGrevis, Commented Jul 28, 2011 at 10:50

PtPazuzu · Accepted Answer · 2011-07-28 10:56:02Z

2

The browser uploading the file probably doesn't know it's an application/dbf mime-time, and sends it as the generic "application/octet-stream". The client/browser has to set the mime-type to be known on upload, and this can be altered by the user!

Thus MIME-type isn't reliable. If you want to be sure that it's the correct file-type/format, you'll have to examine the uploaded file.

answered Jul 28, 2011 at 10:56

PtPazuzu

2,5371 gold badge17 silver badges10 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Sampath · Accepted Answer · 2015-07-09 23:06:54Z

2

There is another easy way for this problem , instead of inspecting the MIME type, we can get the file extension of the uploaded file by using this function.

$filename=$_FILES["file"]["tmp_name"];   
 $ext = pathinfo($filename, PATHINFO_EXTENSION);
 $ext = strtolower($ext);

 if($ext=="png"||$ext=="gif"||$ext=="jpg"||$ext=="jpeg"||$ext=="pdf"
        ||$ext=="doc"||$ext=="docx"||$ext=="xls"
        ||$ext=="xlsx"||$ext=="xlsm"||$ext=="dbf")
    {
        // your code whatever you want to write;

     }

Find an easy blob-upload and download of file here Blob-upload

answered Jul 9, 2015 at 23:06

Sampath

4016 silver badges19 bronze badges

Comments

JK. · Accepted Answer · 2011-07-28 10:53:48Z

1

Defining the content type is up to the browser (or other client application), making it easy to tamper with and cannot be relied upon. My guess is that your browser doesn't recognize the .dbf file and defaults to "application/octet-stream".

answered Jul 28, 2011 at 10:53

JK.

5,1261 gold badge29 silver badges26 bronze badges

Comments

GordonM · Accepted Answer · 2011-07-28 11:28:40Z

1

You can't depend on the type field of a file upload to actually determine its type. First, it can be spoofed by the client. Secondly, the client simply might not know what the file type actually is and just report 'application/octet-stream' instead.

you'll have to determine what kind of file was uploaded yourself. Fortunately, PHP provides the fileinfo extension, which can help you with determining the type of a file.

Code example based on one from php.net:

<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
echo finfo_file($finfo, $_FILES["file"]["tmp_name"]) . "\n";
finfo_close($finfo);
?>

http://www.php.net/manual/en/ref.fileinfo.php

edited Jul 28, 2011 at 11:28

answered Jul 28, 2011 at 10:54

GordonM

31.9k17 gold badges94 silver badges134 bronze badges

Comments

Andy Hunt · Accepted Answer · 2011-07-28 10:52:07Z

-2

Try inspecting the MIME type being passed to you when you upload a file of that type. Insert a temporary print $_FILES["file"]["type"]; somewhere in your code, then upload the file to run the code and see what it prints out! You can then copy that type and use it in your if-statement.

answered Jul 28, 2011 at 10:52

Andy Hunt

1,0731 gold badge11 silver badges26 bronze badges

6 Comments

GordonM Over a year ago

And what if the type is "application-octet-stream" which is what it will default to if the browser doesn't recognise the actual file type? And what if the type field is deliberately spoofed?

Andy Hunt Over a year ago

Then I would submit that he use the file type as just one of a number of checks to validate the upload.

Andy Hunt Over a year ago

I understand it's not reliable, but I feel can still be used. The user uploads and image file? It gets caught out by the type check. If the user uploads an image, but spoofs it as application-octet-stream, then other checks will catch it out.

GordonM Over a year ago

And what if the user uploads a piece of malware and spoofs its filetype as something the system considers safe?

Andy Hunt Over a year ago

As I mentioned before, the type check is not the only check in place. It would be part of any number of checks. Above, my example of an image was just that: an example. Shall we just agree that you find the MIME type to be completely unreliable and unusable, while I find there can be some use for it.

|

Collectives™ on Stack Overflow

How to restrict file upload using PHP?

5 Answers 5

Comments

Comments

Comments

Comments

6 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

5 Answers 5

Comments

Comments

Comments

Comments

6 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related