Prev: hash problem.
Next: [site is acting strange] - blank pages, downloadindex.php, or works fine
From: Don Wieland on 29 Jul 2010 12:50
I am trying to create an UPLOAD form and need to figure a way to only
allow PDF files to be selected. Something like:

<html>
<body>
<form enctype="multipart/form-data" action="upload.php" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1000000"
accept="application/pdf" />
Choose a file to upload: <input name="uploaded_file" type="file" />
<input type="submit" value="Upload" />
</form>
</body>
</html>

It is documented online that I can pass a parameter ACCEPT="applaction/
pdf", BUT it is not recognized in most browsers.

It was suggested by someone that I could trap for this using a
JAVASCRIPT. Can someone assist with a snippet of javascript code to
trap for this for me? This is the end result I need:

If the user selects a file that IS NOT a PDF file, display an
javascript alert "You can only upload PDF files. Please try again."

If the user selects a PDF file greater than 1MB, display an javascript
alert "File uploads may not exceed 1M in file size. Please try again."

I appreciate any help that can be offered. Thanks in advanced!

Don Wieland
From: Ashley Sheridan on 29 Jul 2010 12:55
On Thu, 2010-07-29 at 09:50 -0700, Don Wieland wrote:

> I am trying to create an UPLOAD form and need to figure a way to only
> allow PDF files to be selected. Something like:
>
> <html>
> <body>
> <form enctype="multipart/form-data" action="upload.php" method="post">
> <input type="hidden" name="MAX_FILE_SIZE" value="1000000"
> accept="application/pdf" />
> Choose a file to upload: <input name="uploaded_file" type="file" />
> <input type="submit" value="Upload" />
> </form>
> </body>
> </html>
>
> It is documented online that I can pass a parameter ACCEPT="applaction/
> pdf", BUT it is not recognized in most browsers.
>
> It was suggested by someone that I could trap for this using a
> JAVASCRIPT. Can someone assist with a snippet of javascript code to
> trap for this for me? This is the end result I need:
>
> If the user selects a file that IS NOT a PDF file, display an
> javascript alert "You can only upload PDF files. Please try again."
>
> If the user selects a PDF file greater than 1MB, display an javascript
> alert "File uploads may not exceed 1M in file size. Please try again."
>
> I appreciate any help that can be offered. Thanks in advanced!
>
> Don Wieland
>


Perhaps asking on a Javascript list might be better for this particular
question, as this is a PHP list... ;)

Thanks,
Ash
http://www.ashleysheridan.co.uk


From: Joshua Kehn on 29 Jul 2010 13:25

On Jul 29, 2010, at 12:50 PM, Don Wieland wrote:

> I am trying to create an UPLOAD form and need to figure a way to only allow PDF files to be selected. Something like:
>
> <html>
> <body>
> <form enctype="multipart/form-data" action="upload.php" method="post">
> <input type="hidden" name="MAX_FILE_SIZE" value="1000000" accept="application/pdf" />
> Choose a file to upload: <input name="uploaded_file" type="file" />
> <input type="submit" value="Upload" />
> </form>
> </body>
> </html>
>
> It is documented online that I can pass a parameter ACCEPT="applaction/pdf", BUT it is not recognized in most browsers.
>
> It was suggested by someone that I could trap for this using a JAVASCRIPT. Can someone assist with a snippet of javascript code to trap for this for me? This is the end result I need:
>
> If the user selects a file that IS NOT a PDF file, display an javascript alert "You can only upload PDF files. Please try again."
>
> If the user selects a PDF file greater than 1MB, display an javascript alert "File uploads may not exceed 1M in file size. Please try again."
>
> I appreciate any help that can be offered. Thanks in advanced!
>
> Don Wieland
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Don-

Remember that anything submitted by the client can be spoofed or faked. Ensure that your PHP script accounts for Javascript being disabled.

Past that, I'm sure you can get results from somewhere like Stackoverflow.com instead of a PHP mailing list.

Thanks,

-Josh
From: tedd on 29 Jul 2010 14:10
At 9:50 AM -0700 7/29/10, Don Wieland wrote:
>I am trying to create an UPLOAD form and need to figure a way to
>only allow PDF files to be selected.

The short answer is you can't -- not from php. You can create a
standard form and upload it from there, but you don't have control
over file type.

So you can't stop people from uploading anything to your site via the
form, but you can look at the document once it's there and inspect
it. Using a HEX Editor, I see that most pdf file have the first four
bytes as "%PDF" so you might check that before moving the file to
somewhere important. But that doesn't stop spoofing.

Other than that, I can't see any way to do it.

Cheers,

tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
From: Pete Ford on 30 Jul 2010 04:26
On 29/07/10 19:10, tedd wrote:
> At 9:50 AM -0700 7/29/10, Don Wieland wrote:
>> I am trying to create an UPLOAD form and need to figure a way to only
>> allow PDF files to be selected.
>
> The short answer is you can't -- not from php. You can create a standard
> form and upload it from there, but you don't have control over file type.
>
> So you can't stop people from uploading anything to your site via the
> form, but you can look at the document once it's there and inspect it.
> Using a HEX Editor, I see that most pdf file have the first four bytes
> as "%PDF" so you might check that before moving the file to somewhere
> important. But that doesn't stop spoofing.
>
> Other than that, I can't see any way to do it.
>
> Cheers,
>
> tedd

Second what tedd says, with a bit more: on a Linux backend system I run uploaded
files through the 'file' command with a decent magic file to detect the file
type. I also run every upload through a virus scanner (clamscan, for example)
before I accept it.
If your PHP backend is windows then you might need to do some research to find a
good file-type detection routine, although the virus scanning should be possible.

You certainly cannot trust the client side to do any checking. In any case,
JavaScript doesn't (shouldn't) have access to the file you are trying to upload,
so there's not much you can do there. You might achieve something client-side
with Flash, or a Java uploader applet, I suppose.

Cheers
Pete

--
Peter Ford, Developer phone: 01580 893333 fax: 01580 893399
Justcroft International Ltd. www.justcroft.com
Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom
Registered in England and Wales: 2297906
Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS
 |  Next  |  Last
Pages: 1 2
Prev: hash problem.
Next: [site is acting strange] - blank pages, downloadindex.php, or works fine