I want to make a file upload form.
But my confusion is that when i put file element in html its allow all types of files to select.
I want that browse button will only allow the images to select from the file system.
Actually it should display only images of the file system.
Thanks in advance.
Attribute "accept" with list of MIME types, does not supported by any browser.
<input type="file" accept="image/gif, image/jpeg" />
You can sort out file extension with JS, or try http://swfupload.org/
Uploadify will work for you. It allows you to specify which file types are visible for the user to choose. It can also allow the user to upload multiple files at once if you need them to. All files that are uploaded are showed in a queue with progress bars and are removed from the queue when they are finished uploading. I highly recommend it.
Generally speaking, file uploads should be validated server-side as the 'accept' attribute is not fully supported by the major browsers. Example below:
$accept = array('jpg','png','gif','bmp');
$extension = substr($_FILES['file']['name'],strrpos($_FILES['file']['name'],'.')+1);
if(!in_array($extension,$accept)){
// If the extension is not allowed show an error, else, the file type is valid
echo 'Not a valid file extension';
}
Related
I have an application which uploads data from a csv file and this is working fine. It would be useful, but not essential, if I could limit the dialog window to only show csv files, and if possible a file template say 'abc*.csv'.
The attached image shows an example of a dialog box which will only allow files that start with abc*.csv
Example of csv image dialog box
Thanks
Harry
It depends on how you're handling the uploads.
You can either use plain HTML to filter the .csv extension or handle it using PHP, or both.
Using HTML:
<input type="file" name="upload" accept=".csv">
Using PHP:
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if( $ext !== 'csv' ) {
echo 'Invalid extension.';
}
Note that this only verifies the extension and not the actual filetype.
Also the accept attribute of the <input type="file"> does indeed provider a filter in the file select dialog.
I'm trying to build a simple image uploader using PHP. I do know how to code it, however I have a few concerns..
My question I had is the following: Is saving files which users send safe to save as the original file? With this I mean: Will I not get any vulnerabilities when I'm saving a file send by an user?
Let's say my PHP script does this: It retrieves the POST data, which includes a file send by a person on my website. Is it save to just move the file over to a directory, with original name, content, etcetera? Is there any harm in doing this, or should I rename these files to a random string?
If this isn't a safe way to do this, then what is? How would I verify the send content isn't harmful?
There are always vulnerabilities in storing and providing content provided by a client.
This blog post gives a good description of the vulnerabilities you could face, how they're exploited and how to protect against them. I suggest you use this as a reference: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
Make sure you only process files with the correct ending. Image files are never executed by a webserver, but .php files are for example. So make sure the users don't upload any file that can be executed.
I'm not aware of file names that are harmful. For the content this is difficult to answer. I remember an attack vector with modified TIFF images on windows and one in libjpeg on *nix Systems. However you probably won't be able to find these things without completely decoding the image.
Here's another approach: use this (https://hacks.mozilla.org/2011/03/the-shortest-image-uploader-ever/) very short Image Uploader, by Paul Rouget, based on Imgur.com's API.
Instead of uploading directly to your database, let imgur do all the security and validation, then if you need to, link to or download the (safe) image via Imgur.
It's free for non-commercial and very cheap for commercial.
Basically, you can use imgur's API to safely upload images from your HTML page, with no server side code at all
Here's a live demo: (http://paulrouget.com/miniuploader/)
I would say 100% user upload file are NOT 100% SAFE
JPEG files can contain arbitrary data in them in addition to the actual image data; it's part of the spec. Thus, merely checking if an image is a valid JPEG does not mean that the file is necessarily completely harmless.
File upload without validation
HTML Form:
<form enctype="multipart/form-data" action="uploader.php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE" value="100000" /> Choose a file to upload: <input name="uploadedfile" type="file" /><br /> <input type="submit" value="Upload File" /> </form>
PHP Code:
<?php
$target_path = "uploads/";
$target_path = $target_path . basename($_FILES['uploadedfile']['name']);
if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file " . basename($_FILES['uploadedfile']['name']) . " has been uploaded";
} else {
echo "There was an error uploading the file, please try again!";
}
?>
Define a .htaccess file that will only allow access to files with
allowed extensions.
Do not place the .htaccess file in the same directory where the
uploaded files will be stored. It should be placed in the parent
directory.
A typical .htaccess which allows only gif, jpg, jpeg and png files
should include the following (adapt it for your own need). This will
also prevent double extension attacks.
deny from all
<Files ~ “^w+.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>
If possible, upload the files in a directory outside the server root.
Prevent overwriting of existing files (to prevent the .htaccess
overwrite attack).
Create a list of accepted mime-types (map extensions from these mime types).
Generate a random file name and add the previously generated extension.
Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.
php
<a href="<?php echo $path_data['wall_path'];?>">
<?php echo $dimensions_data['width'] . "x" . $dimensions_data['height']; ?></a>
which outputs
<li>640x960</li>
<li>640x1136</li>
<li>720x1280</li>
<li>768x1280</li>
<li>1080x1920</li>
Now what I need to do is when the user clicks any one of the sizes, I want to prompt a save file dialog box containing the appropriate size file. I've read Forcing to download a file using PHP and PHP Force File Download, but based on my understanding, these are for single file downloads. Please correct me if not.
Restrictions:
don't want to forward to another page like download.php file when user clicks a link.
Normally a browser would not show a download dialog for an image, it will display the image instead, what is the desired behaviour. You can then click "Save As ..." and save the image.
What the browser does with a files depends on the mime type which the web server sends for that file. For jpg images it would be
image/jpeg
If you really want to trick the browser to show a save dialog you need to send a different mime type for that files, like:
application/octet-stream
This can be done using a download.php file (or whatever) which modifies the header and outputs the file. The existence of such a download.php can be hided from the user using rewritten urls.
If you don't want that, you need to tell the web server that it should send a different mime type for that files. If you run apache for example, you can add the following line to your .htaccess file:
AddType application/octet-stream .jpg
I'm trying to create a large, multi-page, PHP web application for work where a client enters information and receives output (think tax software). However, I can't seem to figure out how to require that a file is uploaded by the client. By files, I mean mostly PDF, txt, JPEG, etc.
There are several file upload fields that must be uploaded for the output to contain all of the necessary information to work, and several other file upload fields that are optional.
I would like to do this in PHP if possible, since as I understand it, Javascript could be turned off and that would stop the validation.
On the PHP file that processes the form you'd want to use something like this:
if (isset ($_FILES['myfile']['tmp_name']) && !empty ($_FILES['myfile']['tmp_name'])) {
// process file upload
} else {
echo 'You must upload a file in the "myfile" field to proceed!';
}
This would be in addition to other proper form validation techniques of course.
if(!isset($_FILES["fileinputname"][]))
{
die("Upload files, you must.");
}
You should check out this article
also, for html validation, you can use this.
(Most people don't like it, it's personal preference for many people)
may work, but html validation can be bypassed. IE and Safari don't support it.
http://www.w3schools.com/html5/att_input_required.asp
First of all, you shouldn't validate your forms with JavaScript only, a server-side validation should always be done.
Regarding your question, when you upload a file with PHP, you have its information in the $_FILES array. You will need to look there to know if a file has been uploaded or if it is in the right format, etc.
Is there any way for a php script to choose the name for a file after it's been uploaded by the user using an HTML form? I am wanting to allow users to upload an avatar for their account and would like it named with their userid instead of whatever the name of it is on their computer. I'm using a basic HTML upload form which only allows jpegs and png files with a 10MB file limit, similar to the file upload code give on http://www.w3schools.com/php/php_file_upload.asp Any help you can give will be greatly appreciated.
Put the desired filename in the second argument of move_uploaded_file().
You can specify the filename when using move_uploaded_file(), otherwise you can rename() the file.
$userid = 5; // say you fetch it from database
$ext = explode("\/",$_FILES["file"]["type"]); //extract the file extension
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$userid.$ext[1]);
UPDATE:
I think you don't need to extract file extension.
move_uploaded_file($_FILES["file"]["tmp_name"], "upload/".$userid);