How to allow only program languages extensions in php upload script

Question

Ok so this is my script for uploading files

$target = "cloud/"; 
$target = $target . basename( $_FILES['uploaded']['name']) ; 
$ok=1;   
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
{
echo "The file ". basename( $_FILES['uploaded']['name']). " has been uploaded";
mysql_query("INSERT INTO data (`id`,`title`,`url`,`display`) VALUES ('NULL','". basename( $_FILES['uploaded']['name']). "','http://test.info/". basename( $_FILES['uploaded']['name']). "','1');");
} 
else {
echo "error";
}

What should i add to allow only extensions like .html .php .cpp and so?

@jprofitt: I wouldn't rely on $_FILE['image']['type'], as this value is sent by the browser and an attacker can forge it. — Amal Murali, Jun 30 '13 at 16:15
@AmalMurali Here are [several](http://stackoverflow.com/questions/12864171/only-allow-jpg-and-png-files-only?lq=1) [other](http://stackoverflow.com/questions/10070465/php-allowable-uploaded-file-extension?lq=1) [questions](http://stackoverflow.com/questions/10456113/php-check-file-extension-in-upload-form?rq=1) with the answer to this on here that may be better suited. — jprofitt, Jun 30 '13 at 16:38
@jprofitt: They use exif_imagetype (which is only for images) and the OP wants to check extensions like html, php etc. — Amal Murali, Jun 30 '13 at 16:54

Amal Murali · Answer 1 · 2013-06-30T15:48:47.683

1

You can do something like this:

$file_ext =  strtolower(pathinfo($_FILES['uploaded']['name'],PATHINFO_EXTENSION));
$extensions = ['html', 'php', 'cpp', ...]; 
if ( (in_array($file_ext, $extensions) )
{
//do whatever
}

I hope this helps.

edited Jun 30 '13 at 15:48

answered Jun 30 '13 at 15:39

Amal Murali

75,622
18
128
150

How to allow only program languages extensions in php upload script

1 Answers1