Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Neutralizing potentially dangerous uploads

From: Uploading Files Securely with PHP

Video: Neutralizing potentially dangerous uploads

The allow all types method that we've created on line 71 and pathinfo. Nospaces.

Neutralizing potentially dangerous uploads

The allow all types method that we've created on line 71 to 81, makes the upload file class accept all types of files. It also allows you to specify whether a suffix should be appended to the file name of potentially risky types. We now need to amend the check name method so that it renames files correctly and appends that suffix, if necessary. So let's find the check name method. It's down towards the bottom of the class definition.

There it is. We need to add an extra line on line 165. And the first task, is to extract the file name extension. The file name is stored here in no spaces. We can get the extension by passing nospaces as an argument to the built-in PHP function path info, which returns an associative array of information about a file or a file path. So we'll create a variable called nameparts and pathinfo. Nospaces.

If the file name doesn't have an extension, the extension element of nameparts won't have been set, so we need to check if it exists. So let's create a variable to store the extension. Then we'll check if it's set. So we're checking for nameparts. Extension. And we'll use conditional operators. So if it has been set we'll assign nameparts extension to extension. If not, we'll make it an empty string.

Now if type checking is on, we don't need to add a suffix. Nor do we need to do so, if the suffix is an empty string. Now let's create a conditional statement. If not, this type checking on, and not empty, this suffix. So the code inside this conditional statement will run only if type checking is off.

And the suffix is not an empty string. The next thing that we need to check is if the extension is in the notTrusted array or if it's empty. So another conditional statement, if in array we're looking for the extension that's our needle and the haystack that we're looking in. Is this notTrusted. And the other condition that we're looking for, the alternative condition, is whether the extension is empty.

So if either of those conditions is true, we need to add the suffix to nospaces and then assign the value to the new name property. To indicate that the name has been changed. So in other words, if the extension is in the notTrusted array, or if the extension is empty, we're going to add the suffix. This newName equals the original name, nospaces, then with the suffix added to it.

Course it's the suffix property. The reason that I've included an empty extension here is that files without a file name extension are frequently used on Linux as executable files. Of course, this will catch some innocent files such as readme, but I think it's better to be on the cautious side. So let's save the class definition. And then go back to, form.PHP. At the moment we're allowing all types. We're not adding a particular extension. But let's, just test that.

And let's choose a risky one, a JavaScript file. Upload and it's been renamed checkmultiple.js.upload. So that is working fine. Let's just try a safe file. A jpeg. Nothing has been added to the end of that so that is working fine. Let's also try another safe type of file, a Word file. It's been renamed, but it hasn't got that suffix at the end. Let's just go back and see what happens if we change the suffix to something different.

Let's change it to lynda, and we'll go back to our browser. Choose a file. We'll choose that JavaScript again. And this time, we've got our own custom suffix that has been added to the end. But let's see what happens if we make this an empty string. We'll choose that file again, the JavaScript file. This time it's been uploaded successfully but it has not been renamed. So the upload file class is now much more flexible if you call the allow all types method in your processing script you have the option of neutralizing risky file types.

By adding the default suffix to the filename you can also specify custom suffix by parsing a string as an argument to allow all types. And if you don't want to add a suffix, simply parse an empty string as the argument. But if you want to be really restrictive, just omit allow all types from the processing. And only specified mine types will be uploaded.

Show transcript

This video is part of

Image for Uploading Files Securely with PHP
Uploading Files Securely with PHP

33 video lessons · 2237 viewers

David Powers

Expand all | Collapse all
  1. 4m 49s
    1. Welcome
    2. What you should know before watching this course
      2m 0s
    3. Using the exercise files
      1m 52s
  2. 33m 2s
    1. How PHP handles file uploads
      6m 16s
    2. Examining the $_FILES array
      5m 8s
    3. Setting the maximum file size
      5m 36s
    4. Preparing the upload folder
      3m 18s
    5. Moving the file to its destination
      6m 51s
    6. Limitations on file uploads
      5m 53s
  3. 47m 3s
    1. Planning the class's features
      3m 15s
    2. Creating and using a namespaced class
      5m 25s
    3. Creating the class constructor
      7m 26s
    4. Getting a reference to the uploaded file
      5m 9s
    5. Checking the error level
      5m 7s
    6. Displaying errors and other messages
      4m 51s
    7. Setting and checking the maximum file size
      7m 19s
    8. Strengthening the setMaxSize() method
      8m 31s
  4. 35m 30s
    1. Restricting acceptable MIME types
      5m 27s
    2. Removing spaces from file names
      5m 21s
    3. Restricting acceptable file-name extensions
      6m 10s
    4. Neutralizing potentially dangerous uploads
      5m 54s
    5. Renaming files with duplicate names
      7m 58s
    6. Moving the file to its destination
      4m 40s
  5. 10m 25s
    1. Understanding how the $_FILES array handles multiple files
      4m 42s
    2. Adapting the class to handle both single and multiple uploads
      5m 43s
  6. 38m 15s
    1. Overview of the UploadFile class
      5m 9s
    2. Setting up to use the class
      4m 11s
    3. Using the class
      8m 12s
    4. Reporting errors with multiple uploads
      4m 0s
    5. Displaying the server limits
      4m 51s
    6. Alerting the user about exceeding the server limits
      6m 14s
    7. Changing the class's defaults
      5m 38s
  7. 1m 38s
    1. Goodbye
      1m 38s

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.

Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.

Mark all as unwatched Cancel


You have completed Uploading Files Securely with PHP.

Return to your organization's learning portal to continue training, or close this page.

Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?


Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.