Uploading Files Securely with PHP
Illustration by Don Barnett

Restricting acceptable MIME types


From:

Uploading Files Securely with PHP

with David Powers

Video: Restricting acceptable MIME types

The upload file class that we've been building accepts any type of file. This is potentially insecure, particularly if the upload folder is publicly accessible. But you can use the type element of the file's superglobal array to filter uploads and restrict them to specific types. So let's create a class property to store an array of permitted types. So we'll create it here with all the other property definitions. We'll make it protected, and we'll call it permittedTypes, and it needs to be an array.
Expand all | Collapse all
  1. 4m 49s
    1. Welcome
      57s
    2. What you should know before watching this course
      2m 0s
    3. Using the exercise files
      1m 52s
  2. 33m 2s
    1. How PHP handles file uploads
      6m 16s
    2. Examining the $_FILES array
      5m 8s
    3. Setting the maximum file size
      5m 36s
    4. Preparing the upload folder
      3m 18s
    5. Moving the file to its destination
      6m 51s
    6. Limitations on file uploads
      5m 53s
  3. 47m 3s
    1. Planning the class's features
      3m 15s
    2. Creating and using a namespaced class
      5m 25s
    3. Creating the class constructor
      7m 26s
    4. Getting a reference to the uploaded file
      5m 9s
    5. Checking the error level
      5m 7s
    6. Displaying errors and other messages
      4m 51s
    7. Setting and checking the maximum file size
      7m 19s
    8. Strengthening the setMaxSize() method
      8m 31s
  4. 35m 30s
    1. Restricting acceptable MIME types
      5m 27s
    2. Removing spaces from file names
      5m 21s
    3. Restricting acceptable file-name extensions
      6m 10s
    4. Neutralizing potentially dangerous uploads
      5m 54s
    5. Renaming files with duplicate names
      7m 58s
    6. Moving the file to its destination
      4m 40s
  5. 10m 25s
    1. Understanding how the $_FILES array handles multiple files
      4m 42s
    2. Adapting the class to handle both single and multiple uploads
      5m 43s
  6. 38m 15s
    1. Overview of the UploadFile class
      5m 9s
    2. Setting up to use the class
      4m 11s
    3. Using the class
      8m 12s
    4. Reporting errors with multiple uploads
      4m 0s
    5. Displaying the server limits
      4m 51s
    6. Alerting the user about exceeding the server limits
      6m 14s
    7. Changing the class's defaults
      5m 38s
  7. 1m 38s
    1. Goodbye
      1m 38s

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now
please wait ...
Watch the Online Video Course Uploading Files Securely with PHP
2h 50m Intermediate Feb 24, 2014

Viewers: in countries Watching now:

The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.

At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.

Topics include:
  • How PHP handles file uploads
  • Setting the maximum file size
  • Moving the file to its destination
  • Creating and using a namespaced class
  • Displaying error messages
  • Restricting unacceptable MIME types and file extensions
  • Using the class
  • Reporting errors
  • Altering the user
Subject:
Developer
Software:
PHP
Author:
David Powers

Restricting acceptable MIME types

The upload file class that we've been building accepts any type of file. This is potentially insecure, particularly if the upload folder is publicly accessible. But you can use the type element of the file's superglobal array to filter uploads and restrict them to specific types. So let's create a class property to store an array of permitted types. So we'll create it here with all the other property definitions. We'll make it protected, and we'll call it permittedTypes, and it needs to be an array.

And I'm just going to paste in here a list of image mime types. You can find that list in the text file in the exercise files for this video. And then we just need to put a semicolon at the end there. By the way, this image/pjpg is what was used by old versions of Internet Explorer for JPEG files. That's why it's been included there. Next we need to create a method to check the file's type. So we'll put that down with our other check methods.

So we need to find checkSize, and we'll put it in after checkSize. It'll be a protected method. I will call it checkType, and we'll pass it file as an argument. This argument that we're passing here will be a reference to the current element in the file's superglobal array. So we can now use a conditional statement to check whether the file type is in the array of permitted types. So if, then we'll use the in_array function, which looks for a needle.

The needle we're looking for is file, and the element is type, and the haystack that we're looking for is that permitted types array, which is a property, so we use this, and then permittedTypes. So if it is one of the permitted types, we're happy, and we can return true. And if it's not one of the permitted types, we need to add a message to the messages array.

So else, then, this messages, will add an array element to it. We need the file name. And then add that message that it's not a permitted type. And of course, if it's not a permitted type, we need to return false. So now that we've defined that method, we need to call it in the checkFile method. So we need to scroll up to, checkFile. Here we are. So after checking the size, we will check type.

So if, and if it's going to return false, we don't want it, so we need to use the negative operator. So if not this, checkType, and then we pass it file. If it doesn't pass muster, we need to return false. So the check file method is now running several checks. It's checking the error code. If it isn't zero, it gets an error message, and returns false.

It checks the size. If it doesn't fall within our limits, it returns false. And if the type isn't one of our permitted types, it also returns false. It only returns true if the file passes muster with all the various checks that we're making. So let's just save that and go back to form.php, where we can test it. Now in the previous video, I changed max to 5,000 kilobytes, which was ridiculous, so we'll change that back to 50.

And then we can save that and run it in a browser. We'll select a file. This is a JPG, it's accepted it. Let's choose this WebP file, it's accepted that too. But let's try a different type of file, let's choose a Word document. Try to upload that, it's not a permitted type of file. And if we do the same with a JavaScript file, try to upload it, it's not a permitted type of file.

So this works really well if you want to restrict file uploads to a narrow range of MIME types. But it's important to realize that PHP doesn't actually verify the MIME type reported in the file's superglobal array. It takes the browser's word for it. So the MIME type can be spoofed and sometimes, browsers don't report what you actually expect. That WebP file worked fine in Chrome, but it wouldn't work in other browsers. An alternative approach is to allow all file types to be uploaded but to accord special treatment to those with filename extensions that could be risky.

And we'll look at that approach a little later in this chapter.

There are currently no FAQs about Uploading Files Securely with PHP.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Uploading Files Securely with PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.