Viewers: in countries Watching now:
The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
The public methods of the upload file class have been designed to make it simple to change most defaults. But you might want to change some of them permanently, also the list of permitted Mime types and of potentially risky file name extensions, have been hardcoded into the class definition. To make changes, open uploadfile.php. And most of the defaults can be changed in the property declarations at the top of the class definition. First one that you might want to change is this one here, maxSize.
This sets the maximum limit for individual files that can be uploaded. It's expressed in bytes, and is currently set to 50 kilobytes. It's important to note that the value of max size must be an integer. You can't use calculation. So for example, if you want to change this to 150 kilobytes, and you try to do this, 150 times 1024, you'll see that I get a little underline here, and a message here saying that I've got a syntax error.
You can't have a calculation, it must be a fixed value. So if you want it to be 150 kilobytes, you would need to put in the correct value, which is 153,600. Another important thing to note about maxSize is, it can't be greater than the value of uploadMaxFileSize in the server configuration. Refer to the movie about limitations on file uploads in Chapter 1 if you need reminding of how to check the server limit. The next default that you might want to change is the list of Mime types in the permittedTypes array.
If you plan to add to the end of this array, don't forget to put a comma at the end of line 14 before adding extra types. You can find a full list of mime types on the website of Iana, the internet assigned numbers authority. If we just scroll down here, you can see that the list is absolutely huge. So it's difficult to select the right Mime types to cover all common file formats. Another consideration is that browsers don't always report the official Mime type.
You can use mime_test.php, which you can find in the exercise files for this video to check what browsers report. Let's just try this. I'm using Chrome at the moment. Let's select a zip file and it reports it as being application/octetstream, not application/zip, which is the official MIME type for a zip file. But let's see what Internet Explorer 11 does. Just select that same .zip file and test it.
And it's reported as being application/x.zip-compressed, so very different there. Now let's see what happens if we select a webp file, that's an image type file. Check that, and it's application of eb stream. But in Chrome, that webp file is reported as image/webp. So there are lots of problems with relying on what the browser says the Mime type is. Because of the problems identifying files by their Mime type, you might decide to turn off type checking in the UploadFile class.
You can do that quite simply by changing type checking on to false, so that's on line 17 here. If you change this to false, then Mime types will not be checked and it doesn't matter what you have in this permitted types array. So if you do change this to false, then there is no need to use the allow all types method, unless you want to change the suffix added to potentially risky file name extensions or to upload files without adding a suffix.
The list of potentially risky file name extensions is in the not trusted property. That's this array here on line 18. Just add or remove extensions to suit your needs. But note that the array consists of extension names without a leading dot. But the default suffix which is on the following line, must have a leading dot. So the default suffix at the moment is .upload. And if you don't want to add a suffix to any files ever, you can simply turn notTrusted into an empty array.
So if we just delete everything inside here, then you will be able to upload any type of file. There'll be no type checking whatsoever. One other default that you might want to change is whether the class renames duplicate files, and that's controlled by the upload method. So we need to go down to the upload method, which is down here on line 84. The default value of renameDuplicates is set to true. If you don't want files to be renamed, just set that to false and the class will automatically overwrite existing files.
So that's a quick overview of the defaults that you might want to change in the upload file class. Deciding the default behaviour of a class is a subjective issue, so feel free to adopt the upload file class to suit your own needs. The internal properties method have all been declared as protected, so you could also create a sub-class to add extra functionality or change some of the defaults.
There are currently no FAQs about Uploading Files Securely with PHP.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.