Uploading Files Securely with PHP
Illustration by Don Barnett

Neutralizing potentially dangerous uploads


From:

Uploading Files Securely with PHP

with David Powers

Video: Neutralizing potentially dangerous uploads

The allow all types method that we've created on line 71 to 81, makes the upload file class accept all types of files. It also allows you to specify whether a suffix should be appended to the file name of potentially risky types. We now need to amend the check name method so that it renames files correctly and appends that suffix, if necessary. So let's find the check name method. It's down towards the bottom of the class definition.
Expand all | Collapse all
  1. 4m 49s
    1. Welcome
      57s
    2. What you should know before watching this course
      2m 0s
    3. Using the exercise files
      1m 52s
  2. 33m 2s
    1. How PHP handles file uploads
      6m 16s
    2. Examining the $_FILES array
      5m 8s
    3. Setting the maximum file size
      5m 36s
    4. Preparing the upload folder
      3m 18s
    5. Moving the file to its destination
      6m 51s
    6. Limitations on file uploads
      5m 53s
  3. 47m 3s
    1. Planning the class's features
      3m 15s
    2. Creating and using a namespaced class
      5m 25s
    3. Creating the class constructor
      7m 26s
    4. Getting a reference to the uploaded file
      5m 9s
    5. Checking the error level
      5m 7s
    6. Displaying errors and other messages
      4m 51s
    7. Setting and checking the maximum file size
      7m 19s
    8. Strengthening the setMaxSize() method
      8m 31s
  4. 35m 30s
    1. Restricting acceptable MIME types
      5m 27s
    2. Removing spaces from file names
      5m 21s
    3. Restricting acceptable file-name extensions
      6m 10s
    4. Neutralizing potentially dangerous uploads
      5m 54s
    5. Renaming files with duplicate names
      7m 58s
    6. Moving the file to its destination
      4m 40s
  5. 10m 25s
    1. Understanding how the $_FILES array handles multiple files
      4m 42s
    2. Adapting the class to handle both single and multiple uploads
      5m 43s
  6. 38m 15s
    1. Overview of the UploadFile class
      5m 9s
    2. Setting up to use the class
      4m 11s
    3. Using the class
      8m 12s
    4. Reporting errors with multiple uploads
      4m 0s
    5. Displaying the server limits
      4m 51s
    6. Alerting the user about exceeding the server limits
      6m 14s
    7. Changing the class's defaults
      5m 38s
  7. 1m 38s
    1. Goodbye
      1m 38s

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now
please wait ...
Watch the Online Video Course Uploading Files Securely with PHP
2h 50m Intermediate Feb 24, 2014

Viewers: in countries Watching now:

The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.

At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.

Topics include:
  • How PHP handles file uploads
  • Setting the maximum file size
  • Moving the file to its destination
  • Creating and using a namespaced class
  • Displaying error messages
  • Restricting unacceptable MIME types and file extensions
  • Using the class
  • Reporting errors
  • Altering the user
Subject:
Developer
Software:
PHP
Author:
David Powers

Neutralizing potentially dangerous uploads

The allow all types method that we've created on line 71 to 81, makes the upload file class accept all types of files. It also allows you to specify whether a suffix should be appended to the file name of potentially risky types. We now need to amend the check name method so that it renames files correctly and appends that suffix, if necessary. So let's find the check name method. It's down towards the bottom of the class definition.

There it is. We need to add an extra line on line 165. And the first task, is to extract the file name extension. The file name is stored here in no spaces. We can get the extension by passing nospaces as an argument to the built-in PHP function path info, which returns an associative array of information about a file or a file path. So we'll create a variable called nameparts and pathinfo. Nospaces.

If the file name doesn't have an extension, the extension element of nameparts won't have been set, so we need to check if it exists. So let's create a variable to store the extension. Then we'll check if it's set. So we're checking for nameparts. Extension. And we'll use conditional operators. So if it has been set we'll assign nameparts extension to extension. If not, we'll make it an empty string.

Now if type checking is on, we don't need to add a suffix. Nor do we need to do so, if the suffix is an empty string. Now let's create a conditional statement. If not, this type checking on, and not empty, this suffix. So the code inside this conditional statement will run only if type checking is off.

And the suffix is not an empty string. The next thing that we need to check is if the extension is in the notTrusted array or if it's empty. So another conditional statement, if in array we're looking for the extension that's our needle and the haystack that we're looking in. Is this notTrusted. And the other condition that we're looking for, the alternative condition, is whether the extension is empty.

So if either of those conditions is true, we need to add the suffix to nospaces and then assign the value to the new name property. To indicate that the name has been changed. So in other words, if the extension is in the notTrusted array, or if the extension is empty, we're going to add the suffix. This newName equals the original name, nospaces, then with the suffix added to it.

Course it's the suffix property. The reason that I've included an empty extension here is that files without a file name extension are frequently used on Linux as executable files. Of course, this will catch some innocent files such as readme, but I think it's better to be on the cautious side. So let's save the class definition. And then go back to, form.PHP. At the moment we're allowing all types. We're not adding a particular extension. But let's, just test that.

And let's choose a risky one, a JavaScript file. Upload and it's been renamed checkmultiple.js.upload. So that is working fine. Let's just try a safe file. A jpeg. Nothing has been added to the end of that so that is working fine. Let's also try another safe type of file, a Word file. It's been renamed, but it hasn't got that suffix at the end. Let's just go back and see what happens if we change the suffix to something different.

Let's change it to lynda, and we'll go back to our browser. Choose a file. We'll choose that JavaScript again. And this time, we've got our own custom suffix that has been added to the end. But let's see what happens if we make this an empty string. We'll choose that file again, the JavaScript file. This time it's been uploaded successfully but it has not been renamed. So the upload file class is now much more flexible if you call the allow all types method in your processing script you have the option of neutralizing risky file types.

By adding the default suffix to the filename you can also specify custom suffix by parsing a string as an argument to allow all types. And if you don't want to add a suffix, simply parse an empty string as the argument. But if you want to be really restrictive, just omit allow all types from the processing. And only specified mine types will be uploaded.

There are currently no FAQs about Uploading Files Securely with PHP.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Uploading Files Securely with PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.