Saturday, 15 August 2015

php - Restricting all but one file format to be uploaded -



php - Restricting all but one file format to be uploaded -

i'm studying on mysql & php, , first production i've started work on review panel. can upload product reviews database , browse them later on, straight panel, in case local website.

the problem is, can't figure out how rule on every file format on upload, except .pdf! more clear: want upload form take .pdf files uploaded. @ moment doesn't restrict anything, here code:

<?php if(isset($_post['upload']) && $_files['userfile']['size'] > 0) { $revname = $_post['revname']; $revrating = $_post['rating']; $revrecommend = $_post['recommend']; $filename = $_files['userfile']['name']; $tmpname = $_files['userfile']['tmp_name']; $filesize = $_files['userfile']['size']; $filetype = $_files['userfile']['type']; $fp = fopen($tmpname, 'r'); $content = fread($fp, filesize($tmpname)); $content = addslashes($content); fclose($fp); if(!get_magic_quotes_gpc()) { $filename = addslashes($filename); } rename($tmpname,"c:\\xampp\\htdocs\\reviewarchieve\\files\\reviews\\".$filename); include 'include/config.php'; include 'include/opendb.php'; $query = "insert files (revname, rating, recommend, name, size, type, content)". "values ('$revname', '$revrating', '$revrecommend', '$filename', '$filesize', '$filetype', '$content')"; mysql_query($query) or die('error, query failed'.mysql_error()); include 'include/closedb.php'; echo "<br>file $filename uploaded<br>"; } ?>

got working!

thanks mime refer, managed larn new, , accomplished task little bit of investigation! not part of code offered in right answer, did not work @ in case, no matter did, instead, used method:

i noticed have included file type. $filetype = $_files['userfile']['type'];

so had create if it, this:

if($filetype == 'application/pdf') { *** code driven here, same above on original code *** } else { echo "invalid file, upload interrupted!"; }

answer:

.... if(isset($_post['upload']) && $_files['userfile']['size'] > 0) { $tmpname = $_files['userfile']['tmp_name']; if (mime_content_type($tmpname) != 'application/pdf') { die("uploaded file not valid"); } ....

you have number of problems here biggest are:

sql injection. must sanitize user inputs or little bobby tables visit you. think using parametrized queries

you should check file's mimetype. http://www.php.net//manual/en/function.mime-content-type.php works out box although deprecated. should utilize fileinfo.

php mysql

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)