Re: substr?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Peter Ford wrote:
Frank Arensmeier wrote:

17 jun 2008 kl. 22.14 skrev Jim Lucas:

Jason Pruim wrote:
Hi everyone,
I am attempting to adopt some code to work more reliably then how it is now... What I am doing is coding a upload form where people could be uploading .zip files in excess of 200 MB... Yes I know that is large, but it's for a print shop and they get HUGE files to print from.
The code I'm having issues with is this:
$filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension). $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename. All I want to do is grab the file extension and verify that it is a .zip or a .pdf etc. file. This is working for small files (under a few megs) but for some reason it fails when I get bigger. I have increased the allowed memory size to 50 MB's I'm testing with a 44 MB file right now. When it fails, it says the file type is not allowed even though it is listed in the file type array. Hopefully I have given you enough to go on to at least ask me some questions :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx

Looking at what I think you are trying to do, how about this?

<?php

if ( isset( $_FILES ) ) {

  foreach ( $_FILES AS $file )

    $filename = $file['name'];

    list($ext) = array_reverse(explode('.', $filename));

    $allowed_ext = array('zip', 'pdf');

    if ( in_array($ext, $allowed_ext) ) {
      // Correct extension; do what ever
    } else {
      // Incorrect extension; do nothing
    }

  }

}

?>


I am somewhat surprised that all code suggestions are rather complicated in my opinion. What is wrong with 'pathinfo'?

if ( !isset( $_FILES['userfile']['name'] ) ) {
    echo "No file has been uploaded";
} else {

    $allowed_extensions = array( "zip", "pdf", "ai", "html" );
    $file_info = pathinfo( $_FILES['userfile']['name'] );

if ( in_array( strtolower( $file_info['extension'] ), $allowed_extensions ) ) {
        echo "File has a valid extension";
    } else {
        // do something else
    }
}

// frank



Two points here:
Firstyl, as someone has already indicated, the file will be uploaded before the PHP script runs, so the end user will have to wait for his junk to get through the internet before (s)he is told it is junk. Is that what you want?

Secondly, using the file extension to determine file type is a very poor idea and open to abuse. If you have the file (which you do, 'cos it's been uploaded before your script runs) then you should do a bit more checking before accepting it. The Unix/Linux "file" command can help here. Not perfect, but still... You could also Virus-scan the file before accepting it. All depends on whether your customer is prepared to wait while you clear his upload.

Cheers
Pete


I think that you have the wrong person here. That was a different thread/person talking about preventing DoS'ing attacks. Not Jason.

--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux