Viewers: in countries Watching now:
The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
The upload file class that we've been building accepts any type of file. This is potentially insecure, particularly if the upload folder is publicly accessible. But you can use the type element of the file's superglobal array to filter uploads and restrict them to specific types. So let's create a class property to store an array of permitted types. So we'll create it here with all the other property definitions. We'll make it protected, and we'll call it permittedTypes, and it needs to be an array.
And I'm just going to paste in here a list of image mime types. You can find that list in the text file in the exercise files for this video. And then we just need to put a semicolon at the end there. By the way, this image/pjpg is what was used by old versions of Internet Explorer for JPEG files. That's why it's been included there. Next we need to create a method to check the file's type. So we'll put that down with our other check methods.
So we need to find checkSize, and we'll put it in after checkSize. It'll be a protected method. I will call it checkType, and we'll pass it file as an argument. This argument that we're passing here will be a reference to the current element in the file's superglobal array. So we can now use a conditional statement to check whether the file type is in the array of permitted types. So if, then we'll use the in_array function, which looks for a needle.
The needle we're looking for is file, and the element is type, and the haystack that we're looking for is that permitted types array, which is a property, so we use this, and then permittedTypes. So if it is one of the permitted types, we're happy, and we can return true. And if it's not one of the permitted types, we need to add a message to the messages array.
So else, then, this messages, will add an array element to it. We need the file name. And then add that message that it's not a permitted type. And of course, if it's not a permitted type, we need to return false. So now that we've defined that method, we need to call it in the checkFile method. So we need to scroll up to, checkFile. Here we are. So after checking the size, we will check type.
So if, and if it's going to return false, we don't want it, so we need to use the negative operator. So if not this, checkType, and then we pass it file. If it doesn't pass muster, we need to return false. So the check file method is now running several checks. It's checking the error code. If it isn't zero, it gets an error message, and returns false.
It checks the size. If it doesn't fall within our limits, it returns false. And if the type isn't one of our permitted types, it also returns false. It only returns true if the file passes muster with all the various checks that we're making. So let's just save that and go back to form.php, where we can test it. Now in the previous video, I changed max to 5,000 kilobytes, which was ridiculous, so we'll change that back to 50.
So this works really well if you want to restrict file uploads to a narrow range of MIME types. But it's important to realize that PHP doesn't actually verify the MIME type reported in the file's superglobal array. It takes the browser's word for it. So the MIME type can be spoofed and sometimes, browsers don't report what you actually expect. That WebP file worked fine in Chrome, but it wouldn't work in other browsers. An alternative approach is to allow all file types to be uploaded but to accord special treatment to those with filename extensions that could be risky.
And we'll look at that approach a little later in this chapter.
There are currently no FAQs about Uploading Files Securely with PHP.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.