How To Restrict File Type & File Size In PHP Upload

Welcome to a quick tutorial on how to restrict the file type and file size for uploads in PHP. Sure thing, we can set the HTML file input tag to accept only certain types of files, but it is not entirely safe. Code ninjas can easily change it using the developer’s console, and a server-side restriction still makes more sense.

  • To restrict the file type, we can do a quick file extension check on upload.
    • $ext = strtolower(pathinfo($_FILES['upload']['name'], PATHINFO_EXTENSION));
    • if (!in_array($ext, ["jpg", "png"])){ exit("$ext not allowed."); }
  • To restrict the upload file size, we can also do a quick file size check on upload.
    • $max = 1000000;
    • if ($_FILES['upload']['size'] > $max) { exit("Uploaded file is over $max bytes."); }

That should cover the basics, but read on for a simple detailed example!

ⓘ I have included a zip file with all the source code at the start of this tutorial, so you don’t have to copy-paste everything… Or if you just want to dive straight in.

 

 

REAL QUICK SLIDES

 

TABLE OF CONTENTS

Download & Notes Restricted Upload Useful Bits & Links
The End

 

DOWNLOAD & NOTES

Firstly, here is the download link to the example code as promised.

 

EXAMPLE CODE DOWNLOAD

Click here to download all the example source code, I have released it under the MIT license, so feel free to build on top of it or use it in your own project.

 

QUICK NOTES

If you spot a bug, please feel free to comment below. I try to answer questions too, but it is one person versus the entire world… If you need answers urgently, please check out my list of websites to get help with programming.

 

 

UPLOAD RESTRICTION

All right, let us now get into a simple example on how to restrict the upload file type and file size in PHP.

 

1) HTML UPLOAD FORM

1-upload.html
<form action="2-upload.php" method="post" enctype="multipart/form-data">
  <input type="file" name="upfile" required accept="image/jpeg, image/png, image/gif">
  <input type="submit" value="Upload">
</form>

Yes, this is just a very simple HTML file upload form that accepts images only. But as in the introduction above, code ninjas can easily “tweak” the form and remove the accept restriction in the developer’s console.

 

 

2) PHP UPLOAD CHECK & HANDLER

2-upload.php
<?php
// (A) ERROR - NO FILE UPLOADED
if (!isset($_FILES['upfile'])) { exit("No file uploaded"); }

// (B) ACCEPTED FILE TYPES & SIZE
$accept = ["jpg", "jpeg", "png", "gif"]; // ALL LOWER CASE
$maxSize = 1000000; // 1 MB

// (C) CHECK FILE EXTENSION
$upExt = strtolower(pathinfo($_FILES['upfile']['name'], PATHINFO_EXTENSION));
if (!in_array($upExt, $accept)) { exit("$upExt files not allowed"); }

// (D) CHECK FILE SIZE
if ($_FILES['upfile']['size'] > $maxSize) { exit("Max allowed file size is $maxSize"); }

// (E) SAVE UPLOAD IF OK
echo move_uploaded_file($_FILES['upfile']['tmp_name'], $_FILES["upfile"]["name"])
  ? "OK" : "ERROR" ;

This snippet should be pretty straightforward.

  • If you missed out on the basics, PHP saves the uploaded file to a temporary folder first. The information of the uploaded file can be found in $_FILES.
  • To restrict the file type, we can check the extension of the uploaded file – pathinfo($_FILES['upfile']['name'], PATHINFO_EXTENSION).
  • It is even simpler to restrict the file size, just check the uploaded file size – $_FILES['upfile']['size'].

That’s all. If all the checks pass, we move the uploaded file out of the temporary folder.

 

 

NOTE) PHP UPLOAD SIZE RESTRICTION

php.ini
file_uploads=On
upload_max_filesize=10M

Please take extra note of the above directives in your php.ini file. These “hard restrictions” will come first, PHP will throw an error if the uploaded file is bigger than the set limit. If you are dealing with large uploads, check out my other tutorial, links below.

 

USEFUL BITS & LINKS

That’s all for the tutorial, and here is a small section on some extras and links that may be useful to you.

 

INFOGRAPHIC CHEAT SHEET

PHP Restrict Upload File Type & Size (Click To Enlarge)

 

LINKS & REFERENCES

 

THE END

Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!

Leave a Comment

Your email address will not be published. Required fields are marked *