[PHP] Upload file

[Code.Illusionist]

Hey there, I started learning PHP few days ago, and after understanding all the basics, there is tutorial about uploading files. So, I do understand that a bit, I do understand PHP part, but the part I don't understand is HTML. Here is first HTML part i have:

Code: [Select]

<html>
<body>
<form action="test.php" method="POST" enctype="multipart/form-data">
<label for="file">Filename: </label><br />
<input type="file" name="file" id="file"><br />
<input type="submit" value="submit" name="submit">
</form>
</body></html>So, basicly what I don't understand is this attribute in label : for = "file" AND what for I have id="file" ? I basicly retyped this from w3School.
And PHP part I reedited:

Code: (php) [Select]

<?php
$extension = array('txt');
$catch_extension = end(explode('.',$_FILES['file']['name']));
if ( ($_FILES['file']['type'] == 'text/plain') && in_array($catch_extension,$extension) ) {
if($_FILES['file']['error'] > 0) {
echo "Error: " . $_FILES['file']['error'];
} else {
if (file_exists('upload/' . $_FILES['file']['name'])) {
echo "File with that name allready exists.";
} else {
move_uploaded_file($_FILES['file']['tmp_name'],'upload/' . $_FILES['file']['name']);
echo "You have uploaded file. Good job.";
}
}

} else {
echo "Invalid type of file.";
}?>

[Fur]

The label is just a label. Usually used to identify things to the user. The "for" attribute sort of means "hey, which thing am I identifying to the user?".

The id is like the name of the element. Can be used to identify the element. In this case, it's used to identify which file picker (don't remember the exact name of it) has the file the user wants to upload.
Correct me if I'm wrong, HTML isn't my thing (and I just woke up).


Oh, and best not to use $_FILES['file']['type'] to check the file type. This is sent by the client, therefore it can be spoofed.
Use something like this instead:

Code: (Php) [Select]


$finfo = new finfo(FILEINFO_MIME_TYPE);
$file_contents = file_get_contents($_FILES['file']['tmp_name']);
$mime_type = $finfo->buffer($file_contents);
if (!in_array($mime_type, $allowed_file_types)) {
    die('This type of file cannot be uploaded');
}
It's also easy to spoof the header of a PHP script (simply prepend the script with another header), so disable the php engine with a .htaccess in your upload directory, and make sure the .htaccess cannot be overwritten.

[Code.Illusionist]

I'll need to do small research for function you named  above so I can fully understand what you did there. Otherwise, remembering the functions is just waste of time. Thanks for reply.

[wookie]

If you're looking at uploading images, always best to apply some sort of resampling of the image in case it has been spoofed as PHP code.


Here is a tutorial on resizing images in PHP which you should be able to follow, but you don't really have to resize it if you don't want to, just resample it if you want.  [size=78%]http://net.tutsplus.com/tutorials/php/image-resizing-made-easy-with-php/[/size]


Another thing to remember in SEO terms is that it's best to have a 100px by 100px image that fits in that box rather than put at 300px by 300px image into a 100px by 100px box.  Using PHP to resize images solves that situation if you put some sort of image caching in place on your server.

[BalaHoho]

id!=name But PHP for the name