Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Restricting acceptable file-name extensions

From: Uploading Files Securely with PHP

Video: Restricting acceptable file-name extensions

As it stands, the UploadFile class restricts uploads to specific MIME types. We'll call that notTrusted and I'm just going to paste And we'll call it allowAllTypes, and it'll take an argument called suffix.

Restricting acceptable file-name extensions

As it stands, the UploadFile class restricts uploads to specific MIME types. You could of course, expand the permittedTypes array but there are hundreds of MIME types registered. A practical alternative is to allowAllTypes but to append a suffix to the filename of types that might pose a risk. So let's begin by creating some new class properties. They'll all be protected and they'll all go at the top of the class definition. So protected, and the first one will be typeCheckingOn, and we'll set this to default true.

So that means the default of the class will be to check the MIME types. Next, we need a list of potentially risky file name extensions. We'll call that notTrusted and I'm just going to paste in here a list of potentially risky file name extensions. You can find a copy of that list in a text file in the exercise files for this video. And then we'll have a default suffix and we'll set that by default to .upload.

Notice that I put a leading dot on the default suffix. But the list of extensions, don't begin with leading dots. The reason for that is that the PHP function that will be used later to detect the file name extension, strips off the leading dot. Next, we need to create a public method to turn off type checking. And although we've created a default suffix, we'll give users the option to set a custom suffix. So let's just scroll down.

And the new method will need to be called before we call upload, so we'll put the new definition in here. And we'll call it allowAllTypes, and it'll take an argument called suffix. But suffix will be set by default to null, which means that it becomes an optional argument. The first thing that this method needs to do is to turn off typeChecking, so we've got the typeCheckingOn property.

That needs to be made false. Then we need to check the suffix if one has been supplied as an argument to allowAllTypes. So, if the suffix is not null, we need to check it. So, if not is null, we're looking for suffix. We need to check whether it begins with a leading dot. So we can use the string pos function for that. So, if strpos, and we're looking at the suffix. This has been supplied as an argument. And what we're looking for is a dot.

And then we need three equal signs to make sure that the position is 0. In other words, right at the beginning of a string. If it is, we can simply assign the value of suffix that's being set as an argument to the suffix property. But if it doesn't have a leading dot, we need to add one ourselves. So this suffix equals and then we'll use a double quoted string dot suffix. Now that looks pretty good, but it makes the assumption that files with the extensions listed in the notTrusted property can only be uploaded if a suffix is going to be appended to their file name.

And I think that that's too restrictive. What if only trusted people are uploading files? We need to allow files to be uploaded without a pending suffix. Now, if we make the empty string acceptable as an argument, that will work. So, in this second conditional statement here, we'll add an all and then suffix equals an empty string. So if it's an empty string, that empty string will be added as the suffix, in other words there will be no suffix added to the file name.

So, the allowAllTypes method looks fine, we now need to prevent the checkType method from being called; if typeCheckingOn is turned to false. So, let's go down to the checkFile method. And here in the checkFile method, we're using checkType. So what we need to do is to run that only if typeCheckingOn is true. So, if this typeCheckingOn and then we need to move this across a little bit.

So we'll shift right, and then put in our closing curly brace. So, we'll only check the type if typeChecking is on. So what we can do now, is to save our class definition. And go to form.php. And if we want to use allowAllTypes, we need to call it before we call the upload method. So let's put it after set max size, we need upload object, and then allowAllTypes, we won't add a suffix because we can't test that at the moment.

So we need to save that, and then if we test it in a browser and if we select a type that wasn't accepted before, this word document. And it's now been uploaded successfully and renamed ever_levels.docx, so that's working fine. Let's try it with a JavaScript file. So that's working, and just make sure that our images are still being uploaded correctly. That's also working. So the UploadFile object now accepts all types of files.

The next stage is to append the suffix to files with extensions listed in the notTrusted array.

Show transcript

This video is part of

Image for Uploading Files Securely with PHP
Uploading Files Securely with PHP

33 video lessons · 2245 viewers

David Powers
Author

 
Expand all | Collapse all
  1. 4m 49s
    1. Welcome
      57s
    2. What you should know before watching this course
      2m 0s
    3. Using the exercise files
      1m 52s
  2. 33m 2s
    1. How PHP handles file uploads
      6m 16s
    2. Examining the $_FILES array
      5m 8s
    3. Setting the maximum file size
      5m 36s
    4. Preparing the upload folder
      3m 18s
    5. Moving the file to its destination
      6m 51s
    6. Limitations on file uploads
      5m 53s
  3. 47m 3s
    1. Planning the class's features
      3m 15s
    2. Creating and using a namespaced class
      5m 25s
    3. Creating the class constructor
      7m 26s
    4. Getting a reference to the uploaded file
      5m 9s
    5. Checking the error level
      5m 7s
    6. Displaying errors and other messages
      4m 51s
    7. Setting and checking the maximum file size
      7m 19s
    8. Strengthening the setMaxSize() method
      8m 31s
  4. 35m 30s
    1. Restricting acceptable MIME types
      5m 27s
    2. Removing spaces from file names
      5m 21s
    3. Restricting acceptable file-name extensions
      6m 10s
    4. Neutralizing potentially dangerous uploads
      5m 54s
    5. Renaming files with duplicate names
      7m 58s
    6. Moving the file to its destination
      4m 40s
  5. 10m 25s
    1. Understanding how the $_FILES array handles multiple files
      4m 42s
    2. Adapting the class to handle both single and multiple uploads
      5m 43s
  6. 38m 15s
    1. Overview of the UploadFile class
      5m 9s
    2. Setting up to use the class
      4m 11s
    3. Using the class
      8m 12s
    4. Reporting errors with multiple uploads
      4m 0s
    5. Displaying the server limits
      4m 51s
    6. Alerting the user about exceeding the server limits
      6m 14s
    7. Changing the class's defaults
      5m 38s
  7. 1m 38s
    1. Goodbye
      1m 38s

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed Uploading Files Securely with PHP.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.