Limiting file types using MIMETYPE in PHP

General PHP Help
#1

Hello all, I need help in making sure that people can only upload specific file types to my site for security. I wish to limit the types using mime type as file extensions can be changed. I only want images (jpg, bmp, gif and png) and zip files to be allowed. Here is the original code I have
[php]<?php
$settings[‘imEmailForm_17_5’] = array(
“owner_email_from” => “eMail Address”,
“owner_email_to” => "[email protected]",
“customer_email_from” => "[email protected]",
“customer_email_to” => “eMail Address”,
“owner_message” => “”,
“customer_message” => "We thank you for your enquiry and will get back to you within 48 hours to begin the process of verifying the information you have sent to us and begin creating the template for your site.

Kind Regards,
PotterNet Site Admin Team",
“owner_subject” => “Advert Request”,
“customer_subject” => “Thank you for yourAdvert Request”,
“owner_csv” => True,
“customer_csv” => True,
“confirmation_page” => “…/advertising-home.html”
);

if(substr(basename($_SERVER['PHP_SELF']), 0, 11) == "imEmailForm") {
	include "../res/x5engine.php";

	$answers = array(
	);

	$form_data = array(
		array('label' => 'Accept Terms & Conditions?', 'value' => $_POST['imObjectForm_5_1']),
		array('label' => 'Name', 'value' => $_POST['imObjectForm_5_2']),
		array('label' => 'eMail Address', 'value' => $_POST['imObjectForm_5_3']),
		array('label' => 'Website URL', 'value' => $_POST['imObjectForm_5_4']),
		array('label' => 'Company Name', 'value' => $_POST['imObjectForm_5_5']),
		array('label' => 'Do you require text in your advert?', 'value' => $_POST['imObjectForm_5_7']),
		array('label' => 'Do you want us to design your advert for you?', 'value' => $_POST['imObjectForm_5_8'])
	);

	$files_data = array(
		array('label' => 'Company Logo', 'value' => $_FILES['imObjectForm_5_6']),
		array('label' => 'Advert Images', 'value' => $_FILES['imObjectForm_5_9'])
	);

	if(@$_POST['action'] != "check_answer") {
		if(!isset($_POST['imJsCheck']) || $_POST['imJsCheck'] != "jsactive")
			die(imPrintJsError());
		if (isset($_POST['imCpt']) && !isset($_POST['imCptHdn']))
			die(imPrintJsError());
		if(isset($_POST['imSpProt']) && $_POST['imSpProt'] != "")
			die(imPrintJsError());
		$email = new imSendEmail();
		$email->sendFormEmail($settings['imEmailForm_17_5'], $form_data, $files_data);
		@header('Location: ' . $settings['imEmailForm_17_5']['confirmation_page']);
	} else {
		if(@$_POST['id'] == "" || @$_POST['answer'] == "" || strtolower(trim($answers[@$_POST['id']])) != strtolower(trim(@$_POST['answer'])))
			echo "0";
		else
			echo "1";
	}
}

// End of file[/php]

Can someone please help me by explaining what code to add to this and where to add it so that it would stop anything except zip and the image types listed above from being uploaded?
Thank you in advance.
Kind regards,
Danny

#2

To my knowledge, there’s really no sure fire way to accurately filter files unless you have a predefined set of allowable files (whitelist w/no variations). However, you can potentially reduce the number of garbage files by checking the fields in the $_FILES global. You can learn how to do this here: http://www.php.net/manual/en/features.file-upload.php.

Just a quick and dirty to point you in the right direction

[php]
$failure = false;
foreach ($_FILES as $k) {
if (checkFileType($k[“type”])) {
$failure = true;
}
}

function checkFileType($fileType) {
switch ($fileType) {
case ‘image/gif’:
case ‘image/jpg’:
case ‘image/jpeg’:
case ‘zip’: {
return false;
}break; // not needed I know.
default: {
return true;
}
}
}

if ($failure) {
echo “Unsupported file type!”;
}
[/php]

You would then have to appropriately handle cases where failure is true. IE don’t send email and display error message to user.

#3

really? as long as know if you changed the extension of a file it will not work. am i wrong?

#4

Ugh, sorry - i really need to read a bit more slowly! you are correct wilson : ) . I guess the next course would be using fileinfo if available or get_mime_type. However these are easily defeated and get_mime is deprecated. You must also exercise caution with fileinfo (protect against traversals etc). http://www.php.net/manual/en/ref.fileinfo.php

#5

I use the following to check my file types

[php]if (($_FILES[“name”][“type”] == “application/pdf”) && ($_FILES[“name”][“size”] < 2097152)) {
// verify that the file is not currupt
if ($_FILES[“proposal_name”][“error”] > 0) {
echo "Return Code: " . $_FILES[“name”][“error”] . “
”;
} else {[/php]

I don’t know if this will stop

Sponsor our Newsletter | Privacy Policy | Terms of Service