Viewers: in countries Watching now:
The basic process of uploading files with PHP is very simple, but there are security implications that many people are unaware of. This course shows how to create a secure custom PHP class that can handle both single-file and multi-file uploads. Author David Powers shows you how to create a file upload class that checks the size, type, and names of files, renaming them when it encounters a duplicate file name. He'll show you how to make the class report on the outcome of the upload process and the nature of any errors that occur, and how to prevent the user from uploading files that exceed the server limits.
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
As it stands, the UploadFile class restricts uploads to specific MIME types. You could of course, expand the permittedTypes array but there are hundreds of MIME types registered. A practical alternative is to allowAllTypes but to append a suffix to the filename of types that might pose a risk. So let's begin by creating some new class properties. They'll all be protected and they'll all go at the top of the class definition. So protected, and the first one will be typeCheckingOn, and we'll set this to default true.
So that means the default of the class will be to check the MIME types. Next, we need a list of potentially risky file name extensions. We'll call that notTrusted and I'm just going to paste in here a list of potentially risky file name extensions. You can find a copy of that list in a text file in the exercise files for this video. And then we'll have a default suffix and we'll set that by default to .upload.
Notice that I put a leading dot on the default suffix. But the list of extensions, don't begin with leading dots. The reason for that is that the PHP function that will be used later to detect the file name extension, strips off the leading dot. Next, we need to create a public method to turn off type checking. And although we've created a default suffix, we'll give users the option to set a custom suffix. So let's just scroll down.
And the new method will need to be called before we call upload, so we'll put the new definition in here. And we'll call it allowAllTypes, and it'll take an argument called suffix. But suffix will be set by default to null, which means that it becomes an optional argument. The first thing that this method needs to do is to turn off typeChecking, so we've got the typeCheckingOn property.
That needs to be made false. Then we need to check the suffix if one has been supplied as an argument to allowAllTypes. So, if the suffix is not null, we need to check it. So, if not is null, we're looking for suffix. We need to check whether it begins with a leading dot. So we can use the string pos function for that. So, if strpos, and we're looking at the suffix. This has been supplied as an argument. And what we're looking for is a dot.
And then we need three equal signs to make sure that the position is 0. In other words, right at the beginning of a string. If it is, we can simply assign the value of suffix that's being set as an argument to the suffix property. But if it doesn't have a leading dot, we need to add one ourselves. So this suffix equals and then we'll use a double quoted string dot suffix. Now that looks pretty good, but it makes the assumption that files with the extensions listed in the notTrusted property can only be uploaded if a suffix is going to be appended to their file name.
And I think that that's too restrictive. What if only trusted people are uploading files? We need to allow files to be uploaded without a pending suffix. Now, if we make the empty string acceptable as an argument, that will work. So, in this second conditional statement here, we'll add an all and then suffix equals an empty string. So if it's an empty string, that empty string will be added as the suffix, in other words there will be no suffix added to the file name.
So, the allowAllTypes method looks fine, we now need to prevent the checkType method from being called; if typeCheckingOn is turned to false. So, let's go down to the checkFile method. And here in the checkFile method, we're using checkType. So what we need to do is to run that only if typeCheckingOn is true. So, if this typeCheckingOn and then we need to move this across a little bit.
So we'll shift right, and then put in our closing curly brace. So, we'll only check the type if typeChecking is on. So what we can do now, is to save our class definition. And go to form.php. And if we want to use allowAllTypes, we need to call it before we call the upload method. So let's put it after set max size, we need upload object, and then allowAllTypes, we won't add a suffix because we can't test that at the moment.
The next stage is to append the suffix to files with extensions listed in the notTrusted array.
There are currently no FAQs about Uploading Files Securely with PHP.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.