8 replies to this topic

[c0de_1]

I made a file upload form , how do i allow only .zip files?


Thanks fellow P2L'ers!

-Joe

[BigDog]

Well, one way is to use the zip files mime type.

if( ($_POST['submit']) && ($_FILE['uploadform']['type'] == 'application/x-zip-compressed') )
{

DO THE UPLOAD

}
else
{
 SAY SOMETHING, does not upload
}

That should be a template you could follow.

[Chaos King]

Or you can just use the Zip library for extra security.

http://www.php.net/zip

[Demonslay]

BigDog, on Mar 17 2007, 11:44 PM, said:

Well, one way is to use the zip files mime type.

if( ($_POST['submit']) && ($_FILE['uploadform']['type'] == 'application/x-zip-compressed') )
{

DO THE UPLOAD

}
else
{
 SAY SOMETHING, does not upload
}

That should be a template you could follow.

That won't necessarily work. Zip files can have different MIME types, as found on a large MIME type list.
http://www.webmaster...ime-types.shtml
(Scroll down to '.zip')

And Chaos King would be right about using the ZIP library (which I honestly didn't know existed ).

[Matthew.]

Could just check the extesion, although it depends how you are going to use it whether that's the best way or not i suppose.

$filename = explode('.', $file);

if(strlower($filename[count($filename)-1]) == 'zip')
{
	//

edit: forgot strlower

Edited by Matthew., 18 March 2007 - 03:22 PM.

[PhpFreak]

$extention = explode(".",$file);
$ext = $extention[count($extention)-1];
if(strtolower($ext)=="zip"){
echo "This is allowed, continue.";
}
else{
echo "Sorry, you uploaded an invalid file.";
}

Edited by PhpFreak, 18 March 2007 - 01:36 PM.

[c0de_1]

BIG DOG, you the man/woman! I've been trying to get this dumb script working forever and that one little bit of code finally made it work.

>> This is why I come to P2L first, cause it rocks any other's sites socks!

Cheers!

[BigDog]

Oh really? I just did that off the top of my head. All the other guys had a better version of it. My version was a simple one.

Glad i helped.

Good luck with everything

[Chaos King]

c0de_1, on Mar 18 2007, 08:13 PM, said:

BIG DOG, you the man/woman! I've been trying to get this dumb script working forever and that one little bit of code finally made it work.

>> This is why I come to P2L first, cause it rocks any other's sites socks!

Cheers!

The snippet might work, but it is no where close to secure. If your script comes across the right person, expect a death wish on your server. Just a warning to let you know.

BigDog, on Mar 18 2007, 10:29 PM, said:

Oh really? I just did that off the top of my head. All the other guys had a better version of it. My version was a simple one.

Glad i helped.

Good luck with everything

Please don't use that method to check the validility of a zip archive. It allows the user to rename even a php script to the .zip extension, and execute it on the web server in certain conditions. I advice you not to repost that snippet as a suggestion or solution anywhere again. But for a quick fix, thats fine enough to let him be on his way.

The zip library, as I posted above is probably the only way to securely validate ZIP archives.
http://www.php.net/zip

I don't want to sound offensive or anything, but it is for the sake of your security on the web.