[TYPO3] PHP help ! does this code look like it would check a file extensions, and disallow php files or exe files to be attached

dave typo typothree at gmail.com
Thu Jun 14 16:09:38 CEST 2007


great sounds good... I tried your initial code (the one that lists types
that aren't included), but it didn't work... the exe file that I uploaded
was still attached.

check it out:


$filetest = t3lib_div::_POST('file_name');
                 $disallowed = array(    'application/exe' ,

'application/x-msdos-program',
                                               'application/x-dosexec',
                                               'application/x-exe'

       );



    if (in_array(filetype(t3lib_div::_POST('file_name'), $disallowed))) {
               echo "this doesn't work";
    }elseif(!$filetest) {

            $filelinks = $this->storeFile();

    } else {
            $filelinks = $filetest;
}

any suggestions as why it didnt work?

should i drop a $status .="<p>". $this->pi_getL('no_file')."</p>"

instead of the echo? and then make a no_file relate to the template?

or what do you think?

On 6/14/07, Rens Admiraal <typo3 at ambitiondesign.nl> wrote:
>
> Hi Dave,
>
> The code below is correct... If you want the right mime types you can
> search google...
>
> examples:
>
> png: image/png
> jpg: image/jpg & image/jpeg
> gif: image/gif
>
>
>
>
> Op 14-jun-2007, om 15:32 heeft dave typo het volgende geschreven:
>
> > could you give me an example of the code, ries? I assume something
> > like
> >
> >
> > <?php
> >        $allowed = array(    'file/pdf' ,
> >                                                'file/doc',
> >                                                'file/xls',
> >                                                'file/ppt'
> >        );
> >
> >        if (in_array(filetype(t3lib_div::_POST('filename'), $allowed) {
> >
> > $filelinks = $this->storeFile();
> >        } else {
> >                echo "this is not an allowed file";
> >        }
> >
> > ?>
> > is the file/ppt file/doc correct syntax?
> >
> > -dave
> >
> > On 6/14/07, ries van Twisk <typo3 at rvt.dds.nl> wrote:
> >>
> >> I would do it the other way around,
> >>
> >> allow only the files you can allow and want to have,
> >> and deny the rest. That is more defensive .
> >>
> >> Ries
> >>
> >> On Jun 14, 2007, at 7:54 AM, Rens Admiraal wrote:
> >>
> >>> Hi Dave,
> >>>
> >>> How does this cover executables named file.crap?
> >>>
> >>> Maybe it's better to read the filetype of a file. In this case you
> >>> could use something like the following:
> >>>
> >>> <?php
> >>>       $disallowed = array(    'application/exe' ,
> >>>
> >> 'application/x-msdos-program',
> >>>                                               'application/x-
> >>> dosexec',
> >>>                                               'application/x-exe'
> >>>       );
> >>>
> >>>       if (in_array(filetype(t3lib_div::_POST('filename'),
> >>> $disallowed) {
> >>>               echo "mime type doesn't work";
> >>>       } else {
> >>>               // Rest of the code
> >>>       }
> >>> ?>
> >>>
> >>> The mime type array is not complete I think, but in my opinion this
> >>> is a better indication if the filetype is allowed or not.
> >>>
> >>> Hope this helps you out a bit ;-)
> >>>
> >>> Greetz
> >>>
> >>> Op 14-jun-2007, om 14:42 heeft dave typo het volgende geschreven:
> >>>
> >>>> I'm trying to  write php that disallows the posting of specific
> >>>> files,
> >>>> namely php files and exe files
> >>>>
> >>>> if someone could look over this snippet and tell me if it works or
> >>>> not that
> >>>> would be appreciated.
> >>>>
> >>>> <?php
> >>>>
> >>>>
> >>>> $filelinks=t3lib_div::_POST('file_name'); // the posting of the
> >>>> file name
> >>>>
> >>>> $exttypes = "php3,php,exe";                                     //
> >>>> list of
> >>>> extensions that shouldnt be used
> >>>> $fileextension = substr($filelinks,0,strpos
> >>>> ($filelinks,"."));     //
> >>>> get the
> >>>> extension after the .
> >>>> if ($fileextension == $exttypes['php']['php3']['exe']) {         //
> >>>> if the
> >>>> file extension equals php, php3, or exe
> >>>>     echo "mime type doesn't
> >>>> work";                                 //if the
> >>>> extension is php, php3, exe, than echo doesn't work
> >>>>     }
> >>>>     if ($fileextension != $extypes['php']['php3']['exe']) {     //
> >>>> if the
> >>>> file extension doesn't equal php, php3, or exe than
> >>>>                                                                 //
> >>>> store the
> >>>> file
> >>>>         $filelinks = $this->storeFile();
> >>>>         }
> >>>>
> >>>> ?>
> >>>>
> >>>>
> >>>> I'm not a programmer, and I'm very new at php so im sure there are
> >>>> errors
> >>>> and stupid logic in my code.
> >>>>
> >>>> It would be greatly appreciated if anyone here could critique and
> >>>> rip apart
> >>>> my code.
> >>>>
> >>>> thank you,
> >>>>
> >>>> -dave
> >>>> _______________________________________________
> >>>> TYPO3-english mailing list
> >>>> TYPO3-english at lists.netfielders.de
> >>>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >>>
> >>> _______________________________________________
> >>> TYPO3-english mailing list
> >>> TYPO3-english at lists.netfielders.de
> >>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >>
> >> _______________________________________________
> >> TYPO3-english mailing list
> >> TYPO3-english at lists.netfielders.de
> >> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
> >>
> > _______________________________________________
> > TYPO3-english mailing list
> > TYPO3-english at lists.netfielders.de
> > http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>


More information about the TYPO3-english mailing list