Hi. I've used a white list approach to only allow certain file types to be uploaded, but I would like to know if this is enough protection.. I've been reading about editing the htaccess to allow certain file types, if that would be useful as extra protection? I'd like this to be as safe as possible!
error_reporting(E_ALL);
ini_set('display_errors', 1);
$filename = $_FILES['cv']['tmp_name'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $filename);
finfo_close($finfo);
switch ($mime) {
//.pdf
case 'application/pdf':
$ok = true;
break;
//.doc
case 'application/msword':
$ok = true;
break;
//.docx
case 'application/vnd.openxmlformats-officedocument.wordprocessingml.document':
$ok = true;
break;
default:
$ok = false;
break;
}
if($ok){
$target = "CV/";
$target = $target . basename( $_FILES['cv']['name']) ;
if(move_uploaded_file($_FILES['cv']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['cv']['name']). " has been uploaded <br><br>";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
}
else
{
echo "<p>Oh no, you've chosen the wrong file type!</p>";
}
