In developing a web-based application developers often have to provide a facility to upload files on their application. Several factors were behind the developer to provide a facility to upload files, for example, upload a picture (jpg, png), document (doc, pdf), archive (zip, rar) and others. But granting users to upload files, open the gap to the attackers in which the attacker can upload malicious files to the server.
To handle files that are uploaded by users, developers need to add a script on their web applications to filter the files that are uploaded by users. Here is an example of the html code to display the file upload form:
<html>By providing access to the user to upload files to the server, it is very difficult to believe they will send the file to the appropriate type to that required by the system. For this case I will take an example, the files may be uploaded an image file type jpeg, png or gif. Use the following code snippet to filter the files that are sent to the server based on file type.
<head>
<title>File Upload Form</title>
</head>
<body>
<form method="POST" action="<?=$_SERVER['PHP_SELF']?>" enctype="multipart/form-data">
File : <input type="file" name="file_upload"><br><br>
<input type="submit" name="submit" value="Upload">
</form>
</body>
</html>
Filter with allow image file (jpeg,png,gif)
if($_FILES['file_upload']['type']=='image/jpeg' || $_FILES['file_upload']['type']=='image/png' || $_FILES['file_upload']['type']=='image/gif'){This code snippet "if ($ _ FILES ['file_upload'] ['type'] == 'image / jpeg' || $ _FILES ['file_upload'] ['type'] == 'image / png' || $ _FILES ['file_upload'] ['type'] == 'image / gif')" is to check whether the file sent by the user to have the type of jpeg, png or gif that allowed. You can add a script to upload a file on line comment "// your upload script here".
//your upload script here
}
else{
echo "Please upload the image file!";
}
Filter with allow msword, excel and pdf document
$allowed_files=array(1=>'application/vnd.openxmlformats-officedocument.wordprocessingml.document',In the code snippet to filter files msword, excel and pdf, file types are permitted in advance accommodated in the variable $allowed_files, then be matched with the type of file sent by users like this "if (in_array ($ _ FILES ['file_upload'] ['type'], $allowed_files))".
2=>'application/excel',
3=>'application/msword',
4=>'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
5=>'application/pdf',
6=>'application/force-download');
if(in_array($_FILES['file_upload']['type'],$allowed_files)){
//place your upload script here
}
else{
echo "Please upload msword, excel or pdf document";
}
Code Snippet to filter file upload by file size
To prevent users from uploading files with large size because it can take a server hosting space, you note example the following code snippet:
$max_allowed_size=100000; //max file size is 100KBSet the value of max file size at variable $max_allowed_size, In the script above I set with the value 100000 that means file size that allowed no more than 100KB. To implementation in the real case you can check the file type first than check the file size or vice versa.
if($_FILES['file_upload']['size'] <= $max_allowed_size){
//Place script to cek file type here
}
else{
echo "Please upload file no more than 100KB";
}
Posts
