Upload Library - How to set allowed_types to any extension except .php? |
Hello, I am using CodeIgniter to build a file uploading website. Currently I have set ,
Code: $config["allowed_types"] = "*" When I upload a file it uploads the file successfully. But when I upload a .php file it also uploads successfully which is dangerous for my website. So I need a way to restrict any file with .php extension. How can I accomplish this?
Hi, I'm afraid there are no built in support for blocking file extension(s). You will need to check the file extension yourself before you use do_upload() or only whitelist what you want.
(07-16-2020, 12:54 AM)jreklund Wrote: Hi, I'm afraid there are no built in support for blocking file extension(s). You will need to check the file extension yourself before you use do_upload() or only whitelist what you want. Thank you very much for your help. If there would be a not operator for file extensions like ^(php), then I could use it like this, PHP Code: $config["allowed_types"] = "*|^(php)"; How can I suggest CodeIgniter to take this in their roadmap? Also, how can I check file extensions before uploading?
If there aren't one feature request already for this (haven't checked) you create them here:
https://github.com/bcit-ci/CodeIgniter/issues As this is CodeIgniter 3 right? You need to manually check your $_POST array for your uploaded file, and see what kind of name it where uploaded as. Just so you know, that means they can upload a .php files as .txt, and rename it to .php if you provide that kind of tool as well. So it may not be as secured as you may think.
(07-16-2020, 01:55 AM)jreklund Wrote: If there aren't one feature request already for this (haven't checked) you create them here:Thanks. But my application doesn't have any option to rename files. |
Welcome Guest, Not a member yet? Register Sign In |