What's the best/most secure way to handle file uploads?
I'm building a site (with MyBB at it's core) that will have file uploads of one certain file type that I don't want stored in the attachments system. I've never done file uploads before. How can I verify the filetype and securely store the file on the server?
You could use something like this in your upload script. Allows you to add file extensions in acp, that are not allowed to be uploaded.
$blockedfiletypes = explode(",",$mybb->settings['your_setting_name']);
foreach ($blockedfiletypes as $file)
{
if(preg_match("/$file\$/i", $_FILES['file']['name']))
{
// Do whatever you want here, echo an error or something like that.
}
}
I found something in the ./inc/functions_upload.php that should serve my purposes.
I was going to suggest looking at functions_upload.php. Using the core MyBB function set is IMO the best (and easiest) way to do things if you're working with MyBB - why re-invent the wheel afterall?
I wouldn't say its re-inventing the wheel. Its just a different method, that also works just as well.
Don't rely on the file type provided by the $_FILES if possible. If you can check the magic number, it's always better to do it.
(2012-01-14, 01:14 AM)Frank.Barry Wrote: [ -> ]I wouldn't say its re-inventing the wheel. Its just a different method, that also works just as well.
What I meant is, why write a brand new function to handle the upload when there's a perfectly good one available for use.