Restrict Upload File Type In PHP (Allow Only Certain File Types)

Welcome to a quick tutorial on how to restrict the upload file type in PHP. So you have a project that allows users to upload their files, but want to allow only certain file extensions? Maybe images for the profile picture, or documents for importing?

To restrict the upload file types in PHP:

  1. We can set the accept attribute in the HTML file input field.
    • <input type="file" name="up" accept="images/*"/>
    • <input type="file" name="up" accept=".jpg,.png,.gif,.webp"/>
  2. Then save the uploaded file in PHP, only if it is an allowed file type.
    • $accept = ["jpg", "png", "gif", "webp"];
    • $ext = strtolower(pathinfo($_FILES["up"]["name"], PATHINFO_EXTENSION));
    • if (in_array($ext, $accept)) { move_uploaded_file($_FILES["up"]["tmp_name"], DESTINATION); }

That covers the quick basics, but read on for more detailed examples!

ⓘ I have included a zip file with all the source code at the start of this tutorial, so you don’t have to copy-paste everything… Or if you just want to dive straight in.

 

 

QUICK SLIDES

 

TABLE OF CONTENTS

Download & Notes Restricted Upload Useful Bits & Links
The End

 

DOWNLOAD & NOTES

Firstly, here is the download link to the example code as promised.

 

QUICK NOTES

If you spot a bug, feel free to comment below. I try to answer short questions too, but it is one person versus the entire world… If you need answers urgently, please check out my list of websites to get help with programming.

 

EXAMPLE CODE DOWNLOAD

Click here to download all the example source code, I have released it under the MIT license, so feel free to build on top of it or use it in your own project.

 

 

UPLOAD FILE TYPE RESTRICTION

All right, let us now get into the examples of how to restrict the upload file type in PHP.

 

EXAMPLE 1) RESTRICT BY FILE EXTENSION

1A) HTML UPLOAD FORM

1a-extension.html
<form action="1b-extension.php" method="post" enctype="multipart/form-data">
  <input type="file" name="upfile" accept=".txt,.pdf,.doc,.docx" required/>
  <input type="submit" value="Upload"/>
</form>

As in the introduction, we only have to set the accept attribute in the file input field. But take note of how we define the file restriction here – .txt,.pdf,.doc,.docx. Yes, that is a list of file extensions, separated by commas.

 

1B) PHP UPLOAD HANDLER

1b-extension.php
<?php
// (A) ERROR - NO FILE UPLOADED
if (!isset($_FILES["upfile"])) { exit("No file uploaded"); }
 
// (B) FLAGS & "SETTINGS"
// (B1) ACCEPTED & UPLOADED MIME-TYPES
$accept = ["txt", "pdf", "doc", "docx"]; // all lower case
$upext = strtolower(pathinfo($_FILES["upfile"]["name"], PATHINFO_EXTENSION));
 
// (B2) SOURCE & DESTINATION
$source = $_FILES["upfile"]["tmp_name"];
$destination = $_FILES["upfile"]["name"];
 
// (C) SAVE UPLOAD ONLY IF ACCEPTED FILE TYPE
if (in_array($upext, $accept)) {
  echo move_uploaded_file($source, $destination)
    ? "OK" : "ERROR UPLOADING";
} else { echo "$upext NOT ACCEPTED"; }

This snippet should be pretty straightforward.

  1. If not file is uploaded, we show an error message.
  2. Define the list of accepted file extensions in $accept, and “extract” the uploaded file extension from $_FILES["upfile"].
  3. Save the upload, only if it is an accepted file extension.

That’s all. But some of you guys may be thinking “this is so dumb”, “we have already set the restriction in HTML”, and “this is unnecessary”. Well, no. HTML can be easily changed by anyone who knows how to work with the developer’s console. A check on server-side PHP is still required.

 

 

EXAMPLE 2) RESTRICT BY MIME-TYPE

2A) HTML UPLOAD FORM

2a-mime.html
<form action="2b-mime.php" method="post" enctype="multipart/form-data">
  <input type="file" name="upfile" accept="image/*" required/>
  <input type="submit" value="Upload"/>
</form>

Look no further, this is also “just an HTML upload form”, but take note of the difference here – accept="image/*". Yes, we are restricting by the file MIME-type here now. Not going to bore you into tears, I will just leave a link below if you want to learn more about MIME types.

 

2B) PHP UPLOAD HANDLER

2b-mime.php
<?php
// (A) ERROR - NO FILE UPLOADED
if (!isset($_FILES["upfile"])) { exit("No file uploaded"); }
 
// (B) FLAGS & "SETTINGS"
// (B1) ACCEPTED & UPLOADED MIME-TYPES
$accept = ["image/jpeg", "image/png", "image/gif", "image/webp"];
$upmime = strtolower($_FILES["upfile"]["type"]);
 
// (B2) SOURCE & DESTINATION
$source = $_FILES["upfile"]["tmp_name"];
$destination = $_FILES["upfile"]["name"];
 
// (C) SAVE UPLOAD ONLY IF ACCEPTED FILE TYPE
if (in_array($upmime, $accept)) {
  echo move_uploaded_file($source, $destination)
    ? "OK" : "ERROR UPLOADING";
} else { echo "$upmime NOT ACCEPTED"; }

Look no further again, this is just about the same as the previous example. Except that we are checking against the uploaded file MIME-type instead of the file extension now.

 

 

USEFUL BITS & LINKS

That’s all for the tutorial, and here is a small section on some extras and links that may be useful to you.

 

WHICH IS BETTER? EXTENSION OR MIME-TYPE?

Both works. But if I have to choose, I will say that the MIME-type is “more secure”. In the sense that file extensions can be easily changed, but the MIME-type is more roundabout. Either way, you can impose a check on both the file extension and MIME-type… If you really want to go that far.

 

LINKS & REFERENCES

 

INFOGRAPHIC CHEAT SHEET

Restrict Upload FIle Type In PHP (Click To Enlarge)

 

THE END

Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!

Leave a Comment

Your email address will not be published.