Peter Ford wrote:
Frank Arensmeier wrote:
17 jun 2008 kl. 22.14 skrev Jim Lucas:
Jason Pruim wrote:
Hi everyone,
I am attempting to adopt some code to work more reliably then how it
is now...
What I am doing is coding a upload form where people could be
uploading .zip files in excess of 200 MB... Yes I know that is
large, but it's for a print shop and they get HUGE files to print from.
The code I'm having issues with is this:
$filename = $_FILES['userfile']['name']; // Get the name of the
file (including file extension).
$ext = substr($filename, strpos($filename,'.'),
strlen($filename)-1); // Get the extension from the filename.
All I want to do is grab the file extension and verify that it is a
.zip or a .pdf etc. file. This is working for small files (under a
few megs) but for some reason it fails when I get bigger. I have
increased the allowed memory size to 50 MB's I'm testing with a 44
MB file right now.
When it fails, it says the file type is not allowed even though it
is listed in the file type array.
Hopefully I have given you enough to go on to at least ask me some
questions :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx
Looking at what I think you are trying to do, how about this?
<?php
if ( isset( $_FILES ) ) {
foreach ( $_FILES AS $file )
$filename = $file['name'];
list($ext) = array_reverse(explode('.', $filename));
$allowed_ext = array('zip', 'pdf');
if ( in_array($ext, $allowed_ext) ) {
// Correct extension; do what ever
} else {
// Incorrect extension; do nothing
}
}
}
?>
I am somewhat surprised that all code suggestions are rather
complicated in my opinion. What is wrong with 'pathinfo'?
if ( !isset( $_FILES['userfile']['name'] ) ) {
echo "No file has been uploaded";
} else {
$allowed_extensions = array( "zip", "pdf", "ai", "html" );
$file_info = pathinfo( $_FILES['userfile']['name'] );
if ( in_array( strtolower( $file_info['extension'] ),
$allowed_extensions ) ) {
echo "File has a valid extension";
} else {
// do something else
}
}
// frank
Two points here:
Firstyl, as someone has already indicated, the file will be uploaded
before the PHP script runs, so the end user will have to wait for his
junk to get through the internet before (s)he is told it is junk. Is
that what you want?
Secondly, using the file extension to determine file type is a very poor
idea and open to abuse. If you have the file (which you do, 'cos it's
been uploaded before your script runs) then you should do a bit more
checking before accepting it. The Unix/Linux "file" command can help
here. Not perfect, but still...
You could also Virus-scan the file before accepting it. All depends on
whether your customer is prepared to wait while you clear his upload.
Cheers
Pete
I think that you have the wrong person here. That was a different thread/person
talking about preventing DoS'ing attacks. Not Jason.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
