Restrict Upload File Type In PHP (Allow Only Certain File Types)

Last Updated: October 19, 2023

Welcome to a quick tutorial on how to restrict the upload file type in PHP. So you have a project that allows users to upload their files, but want to allow only certain file extensions? Maybe images for the profile picture, or documents for importing?

To restrict the upload file types in PHP:

  1. We can set the accept attribute in the HTML file input field.
    • <input type="file" name="up" accept="images/*">
    • <input type="file" name="up" accept=".jpg,.png,.gif,.webp">
  2. Then save the uploaded file in PHP, only if it is an allowed file type.
    • $accept = ["jpg", "png", "gif", "webp"];
    • $ext = strtolower(pathinfo($_FILES["up"]["name"], PATHINFO_EXTENSION));
    • if (in_array($ext, $accept)) { move_uploaded_file($_FILES["up"]["tmp_name"], DESTINATION); }

That covers the quick basics, but read on for more detailed examples!

 

 

TABLE OF CONTENTS

 

DOWNLOAD & NOTES

Here is the download link to the example code, so you don’t have to copy-paste everything.

 

EXAMPLE CODE DOWNLOAD

Source code on GitHub Gist

Just click on “download zip” or do a git clone. I have released it under the MIT license, so feel free to build on top of it or use it in your own project.

 

SORRY FOR THE ADS...

But someone has to pay the bills, and sponsors are paying for it. I insist on not turning Code Boxx into a "paid scripts" business, and I don't "block people with Adblock". Every little bit of support helps.

Buy Me A Coffee Code Boxx eBooks

 

 

UPLOAD FILE TYPE RESTRICTION

All right, let us now get into the examples of how to restrict the upload file type in PHP.

 

EXAMPLE 1) RESTRICT BY FILE EXTENSION

1A) HTML UPLOAD FORM

1a-extension.html
<form action="1b-extension.php" method="post" enctype="multipart/form-data">
  <input type="file" name="upfile" accept=".txt,.pdf,.doc,.docx" required>
  <input type="submit" value="Upload">
</form>

As in the introduction, we only have to set the accept attribute in the file input field. But take note of how we define the file restriction here – .txt,.pdf,.doc,.docx. Yes, that is a list of file extensions, separated by commas.

 

1B) PHP UPLOAD HANDLER

1b-extension.php
<?php
// (A) ERROR - NO FILE UPLOADED
if (!isset($_FILES["upfile"])) { exit("No file uploaded"); }
 
// (B) FLAGS & "SETTINGS"
// (B1) ACCEPTED & UPLOADED MIME-TYPES
$accept = ["txt", "pdf", "doc", "docx"]; // all lower case
$upext = strtolower(pathinfo($_FILES["upfile"]["name"], PATHINFO_EXTENSION));
 
// (B2) SOURCE & DESTINATION
$source = $_FILES["upfile"]["tmp_name"];
$destination = $_FILES["upfile"]["name"];
 
// (C) SAVE UPLOAD ONLY IF ACCEPTED FILE TYPE
if (in_array($upext, $accept)) {
  echo move_uploaded_file($source, $destination)
    ? "OK" : "ERROR UPLOADING";
} else { echo "$upext NOT ACCEPTED"; }

This snippet should be pretty straightforward.

  1. If not file is uploaded, we show an error message.
  2. Define the list of accepted file extensions in $accept, and “extract” the uploaded file extension from $_FILES["upfile"].
  3. Save the upload, only if it is an accepted file extension.

That’s all. But some of you guys may be thinking “this is so dumb”, “we have already set the restriction in HTML”, and “this is unnecessary”. Well, no. HTML can be easily changed by anyone who knows how to work with the developer’s console. A check on server-side PHP is still required.

 

 

EXAMPLE 2) RESTRICT BY MIME-TYPE

2A) HTML UPLOAD FORM

2a-mime.html
<form action="2b-mime.php" method="post" enctype="multipart/form-data">
  <input type="file" name="upfile" accept="image/*" required>
  <input type="submit" value="Upload">
</form>

Look no further, this is also “just an HTML upload form”, but take note of the difference here – accept="image/*". Yes, we are restricting by the file MIME type here now. Not going to bore you into tears, I will just leave a link below if you want to learn more about MIME types.

 

2B) PHP UPLOAD HANDLER

2b-mime.php
<?php
// (A) ERROR - NO FILE UPLOADED
if (!isset($_FILES["upfile"])) { exit("No file uploaded"); }
 
// (B) FLAGS & "SETTINGS"
// (B1) ACCEPTED & UPLOADED MIME-TYPES
$accept = ["image/jpeg", "image/png", "image/gif", "image/webp"];
$upmime = strtolower($_FILES["upfile"]["type"]);
 
// (B2) SOURCE & DESTINATION
$source = $_FILES["upfile"]["tmp_name"];
$destination = $_FILES["upfile"]["name"];
 
// (C) SAVE UPLOAD ONLY IF ACCEPTED FILE TYPE
if (in_array($upmime, $accept)) {
  echo move_uploaded_file($source, $destination)
    ? "OK" : "ERROR UPLOADING";
} else { echo "$upmime NOT ACCEPTED"; }

Look no further again, this is just about the same as the previous example. Except that we are checking against the uploaded file MIME-type instead of the file extension now.

 

 

EXTRAS

That’s all for the tutorial, and here is a small section on some extras and links that may be useful to you.

 

WHICH IS BETTER? EXTENSION OR MIME-TYPE?

Both works. But if I have to choose, I will say that the MIME type is “more secure”. In the sense that file extensions can be easily changed, but the MIME type is more roundabout. Either way, you can impose a check on both the file extension and MIME type… If you really want to go that far.

 

LINKS & REFERENCES

 

THE END

Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!

Leave a Comment

Your email address will not be published. Required fields are marked *