Avatar of sasnaktiv
sasnaktiv
Flag for United States of America asked on

How can I prevent the uploading of a file using file extensions?

Hi Guys,
This question should be an easy one to answer for any Expert at EE.
How can I block all & any file (with the following extensions: .html ; .php; .exe;) from uploading to our server?


Currently I'm using the following line of code successfully, but it doesn't go far enough — it's limited to exact filenames.

This is my code:

[code]
if($File=="index.html" || $File=="index.php" || $File=="default.html" || $File=="default.php")
{ echo "Sorry! You can't upload that kind of file";}
[/code]
Thanks for the help.

PHP

Avatar of undefined
Last Comment
Scott Fell

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David H.H.Lee

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
sasnaktiv

ASKER
That's interesting David,
I'll give both approaches a shot tomorrow and let you know how it works out.
At first glance it looks quite logical.
Thanks
Sas
Scott Fell

Maybe put the files you will accept (or will not accept) in an array and check if the item is in that array?

https://www.php.net/manual/en/function.in-array.php

$not_allowed= array("html ", "php", "exe");
if (in_array($file, $not_allowed )) {
    echo "Sorry! You can't upload that kind of file";
}

Open in new window


sasnaktiv

ASKER
To David & Scott,
Thanks for the help guys.

To David:
I'm having trouble getting the FilePath for your very first line of code.
$pathparts = pathinfo('/www/htdocs/inc/index.php');

Open in new window

I tried using $FilePATH = $_SERVER['PATH_INFO']; to get the path, but it comes back empty.
So I made one minor change to that line of code.
$pathparts = pathinfo('$File');

Open in new window

Presto! It worked!


To Scott:
Your code looks extremely simple and makes a lot of sense—perfect sense. I like it. But it fails!
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Scott Fell

Simply saying it fails does not help me :)  You have try and see what the issue is and adjust.

Try this

$file = "somefile.php"; //FILE WE AR CHECKING
$file_type = substr($file,-3);  //GET THE FILE TYPE BY THE LAST THREE CHARACTERS

$not_allowed= array("html ", "php", "exe");  // NOT ALLOWED LIST

if (in_array($file_type, $not_allowed )) { // CHECK IF FILE IS IN THE NOT ALLOWED LIST
    echo "Sorry! You can't upload that kind of file";
} else {

    echo "This is a good file";
}

Open in new window


https://www.php.net/manual/en/function.substr.php
https://www.php.net/manual/en/function.in-array.php
sasnaktiv

ASKER
Okay Guys. Both solutions function brilliantly.
Is there any reason why one version should be better than the other?
Sas
Scott Fell

What works is what counts. We could probably come up with 10 more options.

If you were to create a database of file types, then instead of

$not_allowed= array("html ", "php", "exe");  // NOT ALLOWED LIST

you would replace that with the array generated by the query


⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.