Member Avatar for Sorcher

Can someone help me insert a "white list" in this code? i already have a black list in it but thats pretty stupid when i only want these extensions;
'jpg', 'gif', 'png', 'bmp', '2bp', 'abm', 'afx', 'apd', 'art', 'arw', 'avatar', 'bm2', 'bmc', 'bmf', 'cal', 'cals', 'cam', 'can', 'cd5', 'cdg', 'cdg', 'cit', 'fax', 'yuv'

<?php

// Check if a file has been uploaded
if(isset($_FILES['uploaded_file'])) {
    // Make sure the file was sent without errors
    if($_FILES['uploaded_file']['error'] == 0) {
        // Connect to the database
        $dbLink = new mysqli('xxxxxxx', 'xxxx', 'xxxxx', 'xxxxxxxx');
        if(mysqli_connect_errno()) {
            die("MySQL connection failed: ". mysqli_connect_error());
        }
 $userid = $_SESSION['loginid']; //login session
$target = "inc/user_images/".$userid."_"; 
$target = $target . basename( $_FILES['uploaded_file']['name']); 
        // Gather all required data
		$description = $_POST['description'];
        $name = $dbLink->real_escape_string($_FILES['uploaded_file']['name']);
        $mime = $dbLink->real_escape_string($_FILES['uploaded_file']['type']);
     // delete this line   $data = $dbLink->real_escape_string(file_get_contents($_FILES  ['uploaded_file']['tmp_name']));
        $size = intval($_FILES['uploaded_file']['size']);
 
  //Ban file if executable!
   $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".zip", ".rar", ".html");
    foreach ($blacklist as $item) 
    {
    if(preg_match("/$item\$/i", $_FILES['uploaded_file']['name'])) 
    {
    echo "That file type is not allowed!<br><a href='index.php?page=user_files'>[Go back]</a>";
    die;
    }
    }
	if($description)
{
	if (strlen($description)>400)
		echo "Description can't be more than 400 characters!<br><a href='index.php?page=user_files'>[Go back]</a>";
		else
		{

        // Create the SQL query
       //add userid to your database delete the data entity.
        $query = "
            INSERT INTO `userfile` (
              `userid`,  `name`, `mime`, `description`, `size`, `created`
            )
            VALUES ('{$userid}',
                '{$name}', '{$mime}', '{$description}', {$size}, NOW()
            )";
 
        // Execute the query
        $result = $dbLink->query($query);
		
 
        // Check if it was successfull
        if($result) {
            move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $target);
            echo 'Success! Your file was successfully added!';
        }
        else {
            echo 'Error! Failed to insert the file'
               . "<pre>{$dbLink->error}</pre>";
        }
    }
}
    else {
        echo 'An error accured while the file was being uploaded. '
           . 'Error code: '. intval($_FILES['uploaded_file']['error']);
    }
$file1 = $_FILES['uploaded_file']['name'];
    // Close the mysql connection
    
}
else {
    echo 'Error! Your file was not sent!';
}
 
// Echo a link back to the main page
echo '';
}
$dbLink->close();
?>
<br>
<a href="inc/user_images/<?php echo "" . $userid . "_" . $file1?>">
<img src="inc/user_images/<?php echo "" . $userid . "_" . $file1?>" width="50%" height="50%" alt="Click for full size!"><br></a>
<p><font color="#000000"><b>Direct Link:</b></font></p>
<input type="text" value="www.xxxxx.com/inc/user_images/<?php echo "" . $userid . "_" . $file1?>" class="button1">
  • 3 Contributors
  • 2 Replies
  • 162 Views
  • 7 Hours Discussion Span
  • Latest Post Latest Post by cossay
Member Avatar for quasipickle

Ultimately this is a moot point, because the file extension really has no bearing on what the file actually is - especially if this is a *nix server. If you want to prevent bad files from being uploaded, you'll need to check their MIME types. You can do that with the Fileinfo PECL extension: http://us3.php.net/manual/en/ref.fileinfo.php (some hosts may have it installed - I don't know how popular it is).

Anyway the general though process for the whitelist is this:
- Get the list of allowed types
- Get the type of the file
- is the type of file in the allowed types?
- If so, continue. If not, fail.

Member Avatar for cossay

This script allows upload of files with extension found in the $extension array

<?php
if(!isset($_POST['upload']))
{
?>
	<form method = "post" enctype = "multipart/form-data" action = "<?php echo $_SERVER['PHP_SELF'];?>">
	<table width = "400" align = "center" border = "1">
	<tr>
		<td>File :&nbsp;</td>
		<td>
			<input type = "file" name = "myfile">
			<input type = "hidden" name = "MAX_FILE_SIZE" value = "120000">
		</td>
	</tr>
		<tr>
		<td></td>
		<td><input type = "submit" name = "upload" value = "UPLOAD FILE"></td>
	</tr>

	</table>
	</form>
<?php
}
else
{
	//Acceptable extensions
	$extension = array('jpg','jpeg', 'gif', 'png', 'bmp', '2bp', 'abm', 'afx', 'apd', 'art', 'arw', 'avatar', 'bm2', 'bmc', 'bmf', 'cal', 'cals', 'cam', 'can', 'cd5', 'cdg', 'cdg', 'cit', 'fax', 'yuv');
	
	$ext = explode("/", $_FILES['myfile']['type']);
	$count = 0;//Set counter for number of match
	foreach($extension as $item)
	{
		if($ext[1] == $item)
		{
			$count++;
		}
	}
	
	if($count < 1)
	{
		//File not of acceptable extension
		echo "Unexpected file format";
	
	}
	else
	{
		//File is acceptable
		echo "File format OK";
		
	}
}
?>
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.