Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,800 courses, including more Developer and personalized recommendations.Start Your Free Trial Now
- View Offline
At the end of this course, you'll have a robust, flexible class that can be incorporated into many projects (including web forms) with just a few lines of code.
- How PHP handles file uploads
- Setting the maximum file size
- Moving the file to its destination
- Creating and using a namespaced class
- Displaying error messages
- Restricting unacceptable MIME types and file extensions
- Using the class
- Reporting errors
- Altering the user
Skill Level Intermediate
The upload file class that we've been building accepts any type of file. This is potentially insecure, particularly if the upload folder is publicly accessible. But you can use the type element of the file's superglobal array to filter uploads and restrict them to specific types. So let's create a class property to store an array of permitted types. So we'll create it here with all the other property definitions. We'll make it protected, and we'll call it permittedTypes, and it needs to be an array.
And I'm just going to paste in here a list of image mime types. You can find that list in the text file in the exercise files for this video. And then we just need to put a semicolon at the end there. By the way, this image/pjpg is what was used by old versions of Internet Explorer for JPEG files. That's why it's been included there. Next we need to create a method to check the file's type. So we'll put that down with our other check methods.
So we need to find checkSize, and we'll put it in after checkSize. It'll be a protected method. I will call it checkType, and we'll pass it file as an argument. This argument that we're passing here will be a reference to the current element in the file's superglobal array. So we can now use a conditional statement to check whether the file type is in the array of permitted types. So if, then we'll use the in_array function, which looks for a needle.
The needle we're looking for is file, and the element is type, and the haystack that we're looking for is that permitted types array, which is a property, so we use this, and then permittedTypes. So if it is one of the permitted types, we're happy, and we can return true. And if it's not one of the permitted types, we need to add a message to the messages array.
So else, then, this messages, will add an array element to it. We need the file name. And then add that message that it's not a permitted type. And of course, if it's not a permitted type, we need to return false. So now that we've defined that method, we need to call it in the checkFile method. So we need to scroll up to, checkFile. Here we are. So after checking the size, we will check type.
So if, and if it's going to return false, we don't want it, so we need to use the negative operator. So if not this, checkType, and then we pass it file. If it doesn't pass muster, we need to return false. So the check file method is now running several checks. It's checking the error code. If it isn't zero, it gets an error message, and returns false.
It checks the size. If it doesn't fall within our limits, it returns false. And if the type isn't one of our permitted types, it also returns false. It only returns true if the file passes muster with all the various checks that we're making. So let's just save that and go back to form.php, where we can test it. Now in the previous video, I changed max to 5,000 kilobytes, which was ridiculous, so we'll change that back to 50.
So this works really well if you want to restrict file uploads to a narrow range of MIME types. But it's important to realize that PHP doesn't actually verify the MIME type reported in the file's superglobal array. It takes the browser's word for it. So the MIME type can be spoofed and sometimes, browsers don't report what you actually expect. That WebP file worked fine in Chrome, but it wouldn't work in other browsers. An alternative approach is to allow all file types to be uploaded but to accord special treatment to those with filename extensions that could be risky.
And we'll look at that approach a little later in this chapter.
Sign up for a Premium Membership to download courses for Internet-free viewing.
Watch offline with your iOS, Android, or desktop app.Start Your Free Trial
After signing up, download the course here or from the iOS/Android App.