Limit upload file type

[edenwax]

So I have this simple uploader for zip files used here:
www.xmuarcade.com/mc

uploader.php
<?php

$target_path = "maps/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
   echo "The file ".  basename( $_FILES['uploadedfile']['name']). " has been uploaded";
   echo "<a href='"/"'>Back</a>";
} else{
   echo "There was an error uploading the file, please try again!";
   echo "<a href='"/"'>Back</a>";
}


?>

2 things. How could I incorporate an if statement(I think) that only allows .zip and .rar formats? And for some strange reason I get errors saying I'm dividing by zero when I try to echo a link back to the index?

xmuarcade.com/mc/uploader.php

[Bobby]

Suggesting your server is running PHP 5.3.x, you can use the Fileinfo library to easily check the MIME type. It's a more sure-fire way to validate the file type than checking the extension. People can easily change an extension. MIME type? Not so much.

$finfo = finfo_open (FILEINFO_MIME_TYPE);
$mimeType = finfo_file ($finfo, $_FILES['uploadedfile']['tmp_name']);

$allowedMimes = array ('application/zip', 'application/x-rar');

if (in_array ($mimeType, $allowedMimes))
{
  // ...
}

And you're getting the division error because you're dropping out of the string when printing the forward slash. Which also happens to be the division operator in PHP.

echo '<a href="/">Back</a>';

[edenwax]

Ooh okay, that clears up a bit. Still stuck on how to edit the uploader to work with your code?

[xcessive]

Dec 9, 2010 4:08:21 GMT Bobby said:

Suggesting your server is running PHP 5.3.x, you can use the Fileinfo library to easily check the MIME type. It's a more sure-fire way to validate the file type than checking the extension. People can easily change an extension. MIME type? Not so much.

$finfo = finfo_open (FILEINFO_MIME_TYPE);
$mimeType = finfo_file ($finfo, $_FILES['uploadedfile']['tmp_name']);

$allowedMimes = array ('application/zip', 'application/x-rar');

if (in_array ($mimeType, $allowedMimes))
{
  // ...
}

And you're getting the division error because you're dropping out of the string when printing the forward slash. Which also happens to be the division operator in PHP.

echo '<a href="/">Back</a>';

Yeh, although you can always force an extension, I used to do that when I first started with PHP.

[Bobby]

Dec 9, 2010 5:09:43 GMT edenwax said:

Ooh okay, that clears up a bit. Still stuck on how to edit the uploader to work with your code?

Move the old contents of the script within the IF statement.

Dec 9, 2010 6:38:28 GMT xcessive said:

Yeh, although you can always force an extension, I used to do that when I first started with PHP.

You can force the extension to be there. And you could rewrite the extension to zip/rar. But you can't force it to be the correct extension. At least not without checking the MIME type anyways. And the problem with rewriting the extension to zip/rar is that it doesn't actually change the contents of the file. You'd still be allowing people to transport any kind of file they want.

[edenwax]

Yeaaah I get:

Fatal error: Call to undefined function finfo_open() in /home/xmunet/public_html/mc/uploader.php on line 3

[Bobby]

Dec 9, 2010 18:22:55 GMT edenwax said:

Yeaaah I get:

Fatal error: Call to undefined function finfo_open() in /home/xmunet/public_html/mc/uploader.php on line 3

As I stated, you need PHP 5.3.x. That error tells me your host is still using the 5.2.x line. Even on shared hosting you should still be able to install PECL extensions. If not, you could always contact your host and ask them to install the PECL extension for you. There are no implications for other users, so there's no reason for them to not help you.

If all else fails, the browser sends the MIME type with the form, and it is stored in the $_FILES array. $_FILES['xxx']['type'], to be specific.

[xcessive]

Dec 9, 2010 12:18:39 GMT Bobby said:

Dec 9, 2010 5:09:43 GMT edenwax said:

Ooh okay, that clears up a bit. Still stuck on how to edit the uploader to work with your code?

Move the old contents of the script within the IF statement.

[/b]

Dec 9, 2010 6:38:28 GMT xcessive said:

Yeh, although you can always force an extension, I used to do that when I first started with PHP.

You can force the extension to be there. And you could rewrite the extension to zip/rar. But you can't force it to be the correct extension. At least not without checking the MIME type anyways. And the problem with rewriting the extension to zip/rar is that it doesn't actually change the contents of the file. You'd still be

Yes its a fairly bad idea. However it is a very quick and dirty method and limiting file types AND preventing people from uploading XSS files.


Edit: Sorry, I thought I clicked quote..

[edenwax]

Dec 10, 2010 6:29:04 GMT xcessive said:

Dec 9, 2010 12:18:39 GMT Bobby said:

Move the old contents of the script within the IF statement.

[/b]

Dec 9, 2010 6:38:28 GMT xcessive said:

Yeh, although you can always force an extension, I used to do that when I first started with PHP.

You can force the extension to be there. And you could rewrite the extension to zip/rar. But you can't force it to be the correct extension. At least not without checking the MIME type anyways. And the problem with rewriting the extension to zip/rar is that it doesn't actually change the contents of the file. You'd still be

Yes its a fairly bad idea. However it is a very quick and dirty method and limiting file types AND preventing people from uploading XSS files.


Edit: Sorry, I thought I clicked quote..

[/quote]

Yeah this does not work..

[xcessive]

Dec 10, 2010 17:44:57 GMT edenwax said:

Dec 10, 2010 6:29:04 GMT xcessive said:

You can force the extension to be there. And you could rewrite the extension to zip/rar. But you can't force it to be the correct extension. At least not without checking the MIME type anyways. And the problem with rewriting the extension to zip/rar is that it doesn't actually change the contents of the file. You'd still be

Yes its a fairly bad idea. However it is a very quick and dirty method and limiting file types AND preventing people from uploading XSS files.


Edit: Sorry, I thought I clicked quote..

Yeah this does not work..

You either don't know what your talking about or you dont know what I'm talking about. It does work, I used to use it when I didn't have access to PHP 5.3 and so do many other people.

EDIT: A google search yielded this

if (strpos($_FILES["file"]["name"],".psd")) { $ftype = "psd" };

Seriously though don't use that code its fairly crap. If you have 5.3 check using built in functions as mentioned above. If not check the extension type manually by checking the file file name as a string and then forcing a certain extension type of the uploaded file.

[edenwax]

Twas reffering to the code bobby shared. Doesnt want to work.

[xcessive]

Dec 11, 2010 1:35:46 GMT edenwax said:

Twas reffering to the code bobby shared. Doesnt want to work.

What version of php does your server have installed?
<?
phpinfo();
?>

[edenwax]

Version 5.2.14 apparently.

[xcessive]

Dec 11, 2010 6:11:34 GMT edenwax said:

Version 5.2.14 apparently.

Then Bobby's code wont work, you need 5.3.x.

Use the other method.

[edenwax]

Alright, thanks.