Viewers: in countries Watching now:
The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
The allow all types method that we've created on line 71 to 81, makes the upload file class accept all types of files. It also allows you to specify whether a suffix should be appended to the file name of potentially risky types. We now need to amend the check name method so that it renames files correctly and appends that suffix, if necessary. So let's find the check name method. It's down towards the bottom of the class definition.
There it is. We need to add an extra line on line 165. And the first task, is to extract the file name extension. The file name is stored here in no spaces. We can get the extension by passing nospaces as an argument to the built-in PHP function path info, which returns an associative array of information about a file or a file path. So we'll create a variable called nameparts and pathinfo. Nospaces.
If the file name doesn't have an extension, the extension element of nameparts won't have been set, so we need to check if it exists. So let's create a variable to store the extension. Then we'll check if it's set. So we're checking for nameparts. Extension. And we'll use conditional operators. So if it has been set we'll assign nameparts extension to extension. If not, we'll make it an empty string.
Now if type checking is on, we don't need to add a suffix. Nor do we need to do so, if the suffix is an empty string. Now let's create a conditional statement. If not, this type checking on, and not empty, this suffix. So the code inside this conditional statement will run only if type checking is off.
And the suffix is not an empty string. The next thing that we need to check is if the extension is in the notTrusted array or if it's empty. So another conditional statement, if in array we're looking for the extension that's our needle and the haystack that we're looking in. Is this notTrusted. And the other condition that we're looking for, the alternative condition, is whether the extension is empty.
So if either of those conditions is true, we need to add the suffix to nospaces and then assign the value to the new name property. To indicate that the name has been changed. So in other words, if the extension is in the notTrusted array, or if the extension is empty, we're going to add the suffix. This newName equals the original name, nospaces, then with the suffix added to it.
Course it's the suffix property. The reason that I've included an empty extension here is that files without a file name extension are frequently used on Linux as executable files. Of course, this will catch some innocent files such as readme, but I think it's better to be on the cautious side. So let's save the class definition. And then go back to, form.PHP. At the moment we're allowing all types. We're not adding a particular extension. But let's, just test that.
By adding the default suffix to the filename you can also specify custom suffix by parsing a string as an argument to allow all types. And if you don't want to add a suffix, simply parse an empty string as the argument. But if you want to be really restrictive, just omit allow all types from the processing. And only specified mine types will be uploaded.
There are currently no FAQs about Uploading Files Securely with PHP.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.