Building a custom HTML form for WordPress is something I do fairly regularly. When adding an upload form, it’s important to check for allowed file types. You wouldn’t want anyone uploading a malicious PHP script, right? Wouldn’t it be great if WordPress did that for you? Of course it would.
Enter get_allowed_mime_types
get_allowed_mime_types() is a function that returns an extensive array of acceptable document types. When using it in your document upload script, it can help you perform a basic file type check like this:
// FIND THE FILE TYPE $file_type = $_FILES['app_attachment']['type'][$key]; // FOR EACH OF THE MIME TYPES foreach ( get_allowed_mime_types( ) as $exts) { // IF THERE IS A MATCH FOUND if ( preg_match( '!^(' . $exts . ')$!i', $file_type ) ) { // CREATE A VARIABLE TO GIVE THE GO AHEAD $go_ahead = 1; // NOW IT'S OKAY TO STOP RUNNING THE FOREACH break; } } // IF NO MATCH WAS FOUND if (!$go_ahead) { // SEND THE VISITOR BACK TO THE UPLOAD PAGE WITH AN ERROR MESSAGE header( "Location: /insert-your-path/?error=1" ); // STOP RUNNING SCRIPTS exit; }
Final Thoughts
This method only looks for allowed file extensions. It isn’t as thorough as some other methods of file checking such as using the PHP finfo() function. I would like to something similar that uses the finfo() function.