Limiting upload types help?

Beginners - Learning PHP
#1

Alright,

I have been trying this for a while. I am trying to limit the uploaded files type, but when I upload the PHP file to the site and try to use it, and use a allowed file, it says it is not allowed. Any help? Any way heres my code…

Second Attempt (One im working with now):

<?php

$submitFile = $_POST['submitFile'];

if ($submitFile)
{
if ((($_FILES["file"]["type"] == "application/x-rar-compressed") // Rar Type Files
|| ($_FILES["file"]["type"] == "application/zip") // Zipped Folders
|| ($_FILES["file"]["type"] == "application/octet-stream")) // MySQL Files
&& ($_FILES["file"]["size"] < 209715200))
{
	
	// File name and extensions
	$filetmpname = $_FILES['file']['name']; // Name of oG file
	$ext = substr($filetmpname, strpos($filetmpname,'.'), strlen($filetmpname)-1); // Ext
	$filename = substr(md5(time().$i++), -6).$ext;
	$target = $SETT['upload_dir'].$filename;

			// Check the directory is writable
			if (!is_writable($SETT['upload_dir']))
			{
			$ERROR = 'You cannot upload to the folder that was specified!';
			}
			else
			{
				// Create text such as title and desc
				$title  = mysql_escape_string(strip_tags(trim($_POST['title'])));
				$desc   = mysql_escape_string(strip_tags(trim($_POST['desc'])));
				$author = "Guest";
				$report = "0";
				$dl_url = $CONF['url'].$SETT['upload_dir'].$filename;
				
				if ($title&&$desc&&$dl_url)
				{
					if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
					{
						
						mysql_query("INSERT INTO downloads VALUES ('', '$author', '$title', '$desc', '$report', '$dl_url')");
						
						$gatherDownloadRecently = mysql_query("SELECT * FROM users WHERE username='$USERNAME'"); // Select the username table and our username
						$numrows = mysql_num_rows($gatherDownloadRecently); // Gather the info
						if ($numrows!=0) // Check if url exists
						{
							while ($row = mysql_fetch_assoc($gatherDownloadRecently)) // Gather our details
							{
							$dbUrl = $row['uniqueID']; // Collect DB ID
							}
							echo "<meta http-equiv='refresh' content='0; URL=".$CONF['url']."/file.php?id=".$dbUrl."'>";
						
						}
						else
						{
						$ERROR = "We couldnt find the file after it was uploaded?!";
						}
					} 
					else
					{
					$ERROR = 'There was an error uploading the file!';
					}
				}
				else
				{
				$ERROR = "Please fill in all the fields before attempting to upload!";
				}
			}
}
			else
{
	$ERROR='The file is not the right type or it is too large!';
}
}
?>

First attempt:

<?php

$submitFile = $_POST['submitFile'];

if ($submitFile)
{
	// Configuration - Options
	$allowed_filetypes = array('.rar','.zip','.pdf','.sql','.xml','.gz');
	$max_filesize = 209715200;
	
	// File name and extensions
	$filetmpname = $_FILES['file']['name']; // Name of oG file
	$ext = substr($filetmpname, strpos($filetmpname,'.'), strlen($filetmpname)-1); // Ext
	$filename = substr(md5(time().$i++), -6).$ext;
	$target = $SETT['upload_dir'].$filename;
	
	// Check the filetype is allowed
	if(!in_array($ext,$allowed_filetypes))
	{
	$ERROR = "The type of file you uploaded is not allowed!<br />".$ext;
	}
	else
	{
		// Check the filesize
		if (filesize($_FILES['file']['tmp_name']) > $max_filesize)
		{
		$ERROR = "The file you uploaded is too large!";
		}
		else
		{
			// Check the directory is writable
			if (!is_writable($SETT['upload_dir']))
			{
			$ERROR = 'You cannot upload to the folder that was specified!';
			}
			else
			{
				// Create text such as title and desc
				$title  = mysql_escape_string(strip_tags(trim($_POST['title'])));
				$desc   = mysql_escape_string(strip_tags(trim($_POST['desc'])));
				$author = "Guest";
				$report = "0";
				$dl_url = $CONF['url'].$SETT['upload_dir'].$filename;
				
				if ($title&&$desc&&$dl_url)
				{
					if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
					{
						
						mysql_query("INSERT INTO downloads VALUES ('', '$author', '$title', '$desc', '$report', '$dl_url')");
						
						$gatherDownloadRecently = mysql_query("SELECT * FROM users WHERE username='$USERNAME'"); // Select the username table and our username
						$numrows = mysql_num_rows($gatherDownloadRecently); // Gather the info
						if ($numrows!=0) // Check if url exists
						{
							while ($row = mysql_fetch_assoc($gatherDownloadRecently)) // Gather our details
							{
							$dbUrl = $row['uniqueID']; // Collect DB ID
							}
							echo "<meta http-equiv='refresh' content='0; URL=".$CONF['url']."/file.php?id=".$dbUrl."'>";
						
						}
						else
						{
						$ERROR = "We couldnt find the file after it was uploaded?!";
						}
					} 
					else
					{
					$ERROR = 'There was an error uploading the file!';
					}
				}
				else
				{
				$ERROR = "Please fill in all the fields before attempting to upload!";
				}
			}
		}
	}
}

?>
#2

So for each of the attempts, answer the following: Which file extensions did you try uploading? What were the results?

In other words, was it rejecting everything?

#3

I tried .rar , .zip , .exe , .php , .html , and .exe all denied.

#4

I’m better able to understand your first attempt, so that’s the one I’m studying. When you say “it says it is not allowed”, what does that mean? I see you have some different error messages in your code, so what exactly happens? What type of error message do you get?

#5

Im getting the literal errors saying they are not allowed, $ERROR = “The type of file you uploaded is not allowed!”

#6

We need to add some echos into the code so we can get a feel for what’s going on. Please echo $filetmpname, $ext, $filename, $target immediately after you initialize them. So we have:
initialization
print to new line
initialization
print to new line

and so forth.
If you tell me the results, then we can decide if it’s a data or logic problem.
Again, I’m working with the original attempt.

Sponsor our Newsletter | Privacy Policy | Terms of Service