Zend_File_Transfer

Validators for Zend_File_Transfer

Zend_File_Transfer is delivered with several file-related validators which can be used to increase security and prevent possible attacks. Note that these validators are only as effective as how effectively you apply them. All validators provided with Zend_File_Transfer can be found in the Zend_Validator component and are named Zend_Validate_File_*. The following validators are available:

  • Count: This validator checks for the number of files. A minimum and maximum range can be specified. An error will be thrown if either limit is crossed.

  • Crc32: This validator checks for the crc32 hash value of the content from a file. It is based on the Hash validator and provides a convenient and simple validator that only supports Crc32.

  • ExcludeExtension: This validator checks the extension of files. It will throw an error when an given file has a defined extension. With this validator, you can exclude defined extensions from being validated.

  • ExcludeMimeType: This validator validates the MIME type of files. It can also validate MIME types and will throw an error if the MIME type of specified file matches.

  • Exists: This validator checks for the existence of files. It will throw an error when a specified file does not exist.

  • Extension: This validator checks the extension of files. It will throw an error when a specified file has an undefined extension.

  • FilesSize: This validator checks the size of validated files. It remembers internally the size of all checked files and throws an error when the sum of all specified files exceed the defined size. It also provides minimum and maximum values.

  • ImageSize: This validator checks the size of image. It validates the width and height and enforces minimum and maximum dimensions.

  • IsCompressed: This validator checks whether the file is compressed. It is based on the MimeType validator and validates for compression archives like zip or arc. You can also limit it to other archives.

  • IsImage: This validator checks whether the file is an image. It is based on the MimeType validator and validates for image files like jpg or gif. You can also limit it to other image types.

  • Hash: This validator checks the hash value of the content from a file. It supports multiple algorithms.

  • Md5: This validator checks for the md5 hash value of the content from a file. It is based on the Hash validator and provides a convenient and simple validator that only supports Md5.

  • MimeType: This validator validates the MIME type of files. It can also validate MIME types and will throw an error if the MIME type of a specified file does not match.

  • NotExists: This validator checks for the existence of files. It will throw an error when an given file does exist.

  • Sha1: This validator checks for the sha1 hash value of the content from a file. It is based on the Hash validator and provides a convenient and simple validator that only supports sha1.

  • Size: This validator is able to check files for its file size. It provides a minimum and maximum size range and will throw an error when either of these thesholds are crossed.

  • Upload: This validator is internal. It checks if an upload has resulted in an error. You must not set it, as it's automatically set by Zend_File_Transfer itself. So you do not use this validator directly. You should only know that it exists.

  • WordCount: This validator is able to check the number of words within files. It provides a minimum and maximum count and will throw an error when either of these thresholds are crossed.

Using Validators with Zend_File_Transfer

Putting validators to work is quite simple. There are several methods for adding and manipulating validators:

  • isValid($files = null): Checks the specified files using all validators. $files may be either a real filename, the element's name or the name of the temporary file.

  • addValidator($validator, $breakChainOnFailure, $options = null, $files = null): Adds the specified validator to the validator stack (optionally only to the file(s) specified). $validator may be either an actual validator instance or a short name specifying the validator type (e.g., 'Count').

  • addValidators(array $validators, $files = null): Adds the specified validators to the stack of validators. Each entry may be either a validator type/options pair or an array with the key 'validator' specifying the validator. All other options will be considered validator options for instantiation.

  • setValidators(array $validators, $files = null): Overwrites any existing validators with the validators specified. The validators should follow the syntax for addValidators().

  • hasValidator($name): Indicates whether a validator has been registered.

  • getValidator($name): Returns a previously registered validator.

  • getValidators($files = null): Returns registered validators. If $files is specified, returns validators for that particular file or set of files.

  • removeValidator($name): Removes a previously registered validator.

  • clearValidators(): Clears all registered validators.

Example #1 Add Validators to a File Transfer Object

  1. span style="color: #808080; font-style: italic;">// Set a file size with 20000 bytes
  2. $upload->addValidator('Size'// Set a file size with 20 bytes minimum and 20000 bytes maximum
  3. $upload->addValidator('Size''min' => 20, 'max' => 20000));
  4.  
  5. // Set a file size with 20 bytes minimum and 20000 bytes maximum and
  6. // a file count in one step
  7. 'Size''min' => 20, 'max' => 20000),
  8.     'Count''min' => 1, 'max' => 3),
  9. ));

Example #2 Limit Validators to Single Files

addValidator(), addValidators(), and setValidators() each accept a final $files argument. This argument can be used to specify a particular file or array of files on which to set the given validator.

  1. span style="color: #808080; font-style: italic;">// Set a file size with 20000 bytes and limits it only to 'file2'
  2. $upload->addValidator('Size''file2');

Normally, you should use the addValidators() method, which can be called multiple times.

Example #3 Add Multiple Validators

Often it's simpler just to call addValidator() multiple times with one call for each validator. This also increases readability and makes your code more maintainable. All methods provide a fluent interface, so you can couple the calls as shown below:

  1. span style="color: #808080; font-style: italic;">// Set a file size with 20000 bytes
  2. $upload->addValidator('Size''Count''Filessize'

Note: Note that setting the same validator multiple times is allowed, but doing so can lead to issues when using different options for the same validator.

Last but not least, you can simply check the files using isValid().

Example #4 Validate the Files

isValid() accepts the file name of the uploaded or downloaded file, the temporary file name and or the name of the form element. If no parameter or null is given all files will be validated

  1. span style="color: #808080; font-style: italic;">// Set a file size with 20000 bytes
  2. $upload->addValidator('Size''Count''Filessize'"Validation failure";
  3. }

Note: Note that isValid() will be called automatically when you receive the files and have not called it previously.

When validation has failed it is a good idea to get information about the problems found. To get this information, you can use the methods getMessages() which returns all validation messages as array, getErrors() which returns all error codes, and hasErrors() which returns TRUE as soon as a validation error has been found.

Count Validator

The Count validator checks for the number of files which are provided. It supports the following option keys:

  • min: Sets the minimum number of files to transfer.

    Note: When using this option you must give the minimum number of files when calling this validator the first time; otherwise you will get an error in return.

    With this option you can define the minimum number of files you expect to receive.

  • max: Sets the maximum number of files to transfer.

    With this option you can limit the number of files which are accepted but also detect a possible attack when more files are given than defined in your form.

If you initiate this validator with a string or integer, the value will be used as max. Or you can also use the methods setMin() and setMax() to set both options afterwards and getMin() and getMax() to retrieve the actual set values.

Example #5 Using the Count Validator

  1. span style="color: #808080; font-style: italic;">// Limit the amount of files to maximum 2
  2. $upload->addValidator('Count'// Limit the amount of files to maximum 5 and minimum 1 file
  3. $upload->addValidator('Count''min' =>1, 'max' => 5));

Note: Note that this validator stores the number of checked files internally. The file which exceeds the maximum will be returned as error.

Crc32 Validator

The Crc32 validator checks the content of a transferred file by hashing it. This validator uses the hash extension from PHP with the crc32 algorithm. It supports the following options:

  • *: Sets any key or use a numeric array. The values will be used as hash to validate against.

    You can set multiple hashes by using different keys. Each will be checked and the validation will fail only if all values fail.

Example #6 Using the Crc32 Validator

  1. span style="color: #808080; font-style: italic;">// Checks whether the content of the uploaded file has the given hash
  2. $upload->addValidator('Crc32''3b3652f');
  3.  
  4. // Limits this validator to two different hashes
  5. $upload->addValidator('Crc32''3b3652f', 'e612b69'));

ExcludeExtension Validator

The ExcludeExtension validator checks the file extension of the specified files. It supports the following options:

  • *: Sets any key or use a numeric array. The values will be used to check whether the given file does not use this file extension.

  • case: Sets a boolean indicating whether validation should be case-sensitive. The default is not case sensitive. Note that this key can be applied to for all available extensions.

This validator accepts multiple extensions, either as a comma-delimited string, or as an array. You may also use the methods setExtension(), addExtension(), and getExtension() to set and retrieve extensions.

In some cases it is useful to match in a case-sensitive fashion. So the constructor allows a second parameter called $case which, if set to TRUE, validates the extension by comparing it with the specified values in a case-sensitive fashion.

Example #7 Using the ExcludeExtension Validator

  1. span style="color: #808080; font-style: italic;">// Do not allow files with extension php or exe
  2. $upload->addValidator('ExcludeExtension''php,exe');
  3.  
  4. // Do not allow files with extension php or exe, but use array notation
  5. $upload->addValidator('ExcludeExtension''php', 'exe'));
  6.  
  7. // Check in a case-sensitive fashion
  8. $upload->addValidator('ExcludeExtension''php', 'exe', 'case''ExcludeExtension''php', 'exe', 'case'

Note: Note that this validator only checks the file extension. It does not check the file's MIME type.

ExcludeMimeType Validator

The ExcludeMimeType validator checks the MIME type of transferred files. It supports the following options:

  • *: Sets any key individually or use a numeric array. Sets the MIME type to validate against.

    With this option you can define the MIME type of files that are not to be accepted.

  • headerCheck: If set to TRUE this option will check the HTTP Information for the file type when the fileInfo or mimeMagic extensions can not be found. The default value for this option is FALSE.

This validator accepts multiple MIME types, either as a comma-delimited string, or as an array. You may also use the methods setMimeType(), addMimeType(), and getMimeType() to set and retrieve the MIME types.

Example #8 Using the ExcludeMimeType Validator

  1. span style="color: #808080; font-style: italic;">// Does not allow MIME type of gif images for all files
  2. $upload->addValidator('ExcludeMimeType''image/gif');
  3.  
  4. // Does not allow MIME type of gif and jpg images for all given files
  5. $upload->addValidator('ExcludeMimeType''image/gif',
  6.                                                       'image/jpeg');
  7.  
  8. // Does not allow MIME type of the group images for all given files
  9. $upload->addValidator('ExcludeMimeType''image');

The above example shows that it is also possible to disallow groups of MIME types. For example, to disallow all images, just use 'image' as the MIME type. This can be used for all groups of MIME types like 'image', 'audio', 'video', 'text', etc.

Note: Note that disallowing groups of MIME types will disallow all members of this group even if this is not intentional. When you disallow 'image' you will disallow all types of images like 'image/jpeg' or 'image/vasa'. When you are not sure if you want to disallow all types, you should disallow only specific MIME types instead of complete groups.

Exists Validator

The Exists validator checks for the existence of specified files. It supports the following options:

  • *: Sets any key or use a numeric array to check if the specific file exists in the given directory.

This validator accepts multiple directories, either as a comma-delimited string, or as an array. You may also use the methods setDirectory(), addDirectory(), and getDirectory() to set and retrieve directories.

Example #9 Using the Exists Validator

  1. span style="color: #808080; font-style: italic;">// Add the temp directory to check for
  2. $upload->addValidator('Exists''\temp');
  3.  
  4. // Add two directories using the array notation
  5. $upload->addValidator('Exists''\home\images', '\home\uploads'));

Note: Note that this validator checks whether the specified file exists in all of the given directories. The validation will fail if the file does not exist in any of the given directories.

Extension Validator

The Extension validator checks the file extension of the specified files. It supports the following options:

  • *: Sets any key or use a numeric array to check whether the specified file has this file extension.

  • case: Sets whether validation should be done in a case-sensitive fashion. The default is no case sensitivity. Note the this key is used for all given extensions.

This validator accepts multiple extensions, either as a comma-delimited string, or as an array. You may also use the methods setExtension(), addExtension(), and getExtension() to set and retrieve extension values.

In some cases it is useful to test in a case-sensitive fashion. Therefore the constructor takes a second parameter $case, which, if set to TRUE, will validate the extension in a case-sensitive fashion.

Example #10 Using the Extension Validator

  1. span style="color: #808080; font-style: italic;">// Limit the extensions to jpg and png files
  2. $upload->addValidator('Extension''jpg,png');
  3.  
  4. // Limit the extensions to jpg and png files but use array notation
  5. $upload->addValidator('Extension''jpg', 'png'));
  6.  
  7. // Check case sensitive
  8. $upload->addValidator('Extension''mo', 'png', 'case''C:\temp\myfile.MO''Not valid because MO and mo do not match with case sensitivity;
  9. }

Note: Note that this validator only checks the file extension. It does not check the file's MIME type.

FilesSize Validator

The FilesSize validator checks for the aggregate size of all transferred files. It supports the following options:

  • min: Sets the minimum aggregate file size. This option defines the minimum aggregate file size to be transferred.

  • max: Sets the maximum aggregate file size.

    This option limits the aggregate file size of all transferred files, but not the file size of individual files.

  • bytestring: Defines whether a failure is to return a user-friendly number or the plain file size.

    This option defines whether the user sees '10864' or '10MB'. The default value is TRUE, so '10MB' is returned if you did not specify otherwise.

You can initialize this validator with a string, which will then be used to set the max option. You can also use the methods setMin() and setMax() to set both options after construction, along with getMin() and getMax() to retrieve the values that have been set previously.

The size itself is also accepted in SI notation as handled by most operating systems. That is, instead of specifying 20000 bytes, 20kB may be given. All file sizes are converted using 1024 as the base value. The following Units are accepted: kB, MB, GB, TB, PB and EB. Note that 1kB is equal to 1024 bytes, 1MB is equal to 1024kB, and so on.

Example #11 Using the FilesSize Validator

  1. span style="color: #808080; font-style: italic;">// Limit the size of all files to be uploaded to 40000 bytes
  2. $upload->addValidator('FilesSize'// Limit the size of all files to be uploaded to maximum 4MB and mimimum 10kB
  3. $upload->addValidator('FilesSize''min' => '10kB', 'max' => '4MB'));
  4.  
  5. // As before, but returns the plain file size instead of a user-friendly string
  6. $upload->addValidator('FilesSize''min' => '10kB',
  7.                             'max' => '4MB',
  8.                             'bytestring'

Note: Note that this validator internally stores the file size of checked files. The file which exceeds the size will be returned as an error.

ImageSize Validator

The ImageSize validator checks the size of image files. It supports the following options:

  • minheight: Sets the minimum image height.

  • maxheight: Sets the maximum image height.

  • minwidth: Sets the minimum image width.

  • maxwidth: Sets the maximum image width.

The methods setImageMin() and setImageMax() also set both minimum and maximum values, while the methods getMin() and getMax() return the currently set values.

For your convenience there are also the setImageWidth() and setImageHeight() methods, which set the minimum and maximum height and width of the image file. They, too, have corresponding getImageWidth() and getImageHeight() methods to retrieve the currently set values.

To bypass validation of a particular dimension, the relevent option simply should not be set.

Example #12 Using the ImageSize Validator

  1. span style="color: #808080; font-style: italic;">// Limit the size of a image to a height of 100-200 and a width of
  2. // 40-80 pixel
  3. $upload->addValidator('ImageSize''minwidth' => 40,
  4.                             'maxwidth' => 80,
  5.                             'minheight' => 100,
  6.                             'maxheight' => 200)
  7.                       );
  8.  
  9. // Reset the width for validation
  10. 'minwidth' => 20, 'maxwidth' => 200));

IsCompressed Validator

The IsCompressed validator checks if a transferred file is a compressed archive, such as zip or arc. This validator is based on the MimeType validator and supports the same methods and options. You may also limit this validator to particular compression types with the methods described there.

Example #13 Using the IsCompressed Validator

  1. span style="color: #808080; font-style: italic;">// Checks is the uploaded file is a compressed archive
  2. $upload->addValidator('IsCompressed'// Limits this validator to zip files only
  3. $upload->addValidator('IsCompressed''application/zip'));
  4.  
  5. // Limits this validator to zip files only using simpler notation
  6. $upload->addValidator('IsCompressed''zip');

Note: Note that there is no check if you set a MIME type that is not a archive. For example, it would be possible to define gif files to be accepted by this validator. Using the 'MimeType' validator for files which are not archived will result in more readable code.

IsImage Validator

The IsImage validator checks if a transferred file is a image file, such as gif or jpeg. This validator is based on the MimeType validator and supports the same methods and options. You can limit this validator to particular image types with the methods described there.

Example #14 Using the IsImage Validator

  1. span style="color: #808080; font-style: italic;">// Checks whether the uploaded file is a image file
  2. $upload->addValidator('IsImage'// Limits this validator to gif files only
  3. $upload->addValidator('IsImage''application/gif'));
  4.  
  5. // Limits this validator to jpeg files only using a simpler notation
  6. $upload->addValidator('IsImage''jpeg');

Note: Note that there is no check if you set a MIME type that is not an image. For example, it would be possible to define zip files to be accepted by this validator. Using the 'MimeType' validator for files which are not images will result in more readable code.

Hash Validator

The Hash validator checks the content of a transferred file by hashing it. This validator uses the hash extension from PHP. It supports the following options:

  • *: Takes any key or use a numeric array. Sets the hash to validate against.

    You can set multiple hashes by passing them as an array. Each file is checked, and the validation will fail only if all files fail validation.

  • algorithm: Sets the algorithm to use for hashing the content.

    You can set multiple algorithm by calling the addHash() method multiple times.

Example #15 Using the Hash Validator

  1. span style="color: #808080; font-style: italic;">// Checks if the content of the uploaded file contains the given hash
  2. $upload->addValidator('Hash''3b3652f');
  3.  
  4. // Limits this validator to two different hashes
  5. $upload->addValidator('Hash''3b3652f', 'e612b69'));
  6.  
  7. // Sets a different algorithm to check against
  8. $upload->addValidator('Hash''315b3cd8273d44912a7',
  9.                             'algorithm' => 'md5'));

Note: This validator supports about 34 different hash algorithms. The most common include 'crc32', 'md5' and 'sha1'. A comprehesive list of supports hash algorithms can be found at the » hash_algos method on the » php.net site.

Md5 Validator

The Md5 validator checks the content of a transferred file by hashing it. This validator uses the hash extension for PHP with the md5 algorithm. It supports the following options:

  • *: Takes any key or use a numeric array.

    You can set multiple hashes by passing them as an array. Each file is checked, and the validation will fail only if all files fail validation.

Example #16 Using the Md5 Validator

  1. span style="color: #808080; font-style: italic;">// Checks if the content of the uploaded file has the given hash
  2. $upload->addValidator('Md5''3b3652f336522365223');
  3.  
  4. // Limits this validator to two different hashes
  5. $upload->addValidator('Md5''3b3652f336522365223',
  6.                             'eb3365f3365ddc65365'));

MimeType Validator

The MimeType validator checks the MIME type of transferred files. It supports the following options:

  • *: Sets any key or use a numeric array. Sets the MIME type to validate against.

    Defines the MIME type of files to be accepted.

  • headerCheck: If set to TRUE this option will check the HTTP Information for the file type when the fileInfo or mimeMagic extensions can not be found. The default value for this option is FALSE.

  • magicfile: The magicfile to be used.

    With this option you can define which magicfile to use. When it's not set or empty, the MAGIC constant will be used instead. This option is available since Zend Framework 1.7.1.

This validator accepts multiple MIME type, either as a comma-delimited string, or as an array. You may also use the methods setMimeType(), addMimeType(), and getMimeType() to set and retrieve MIME type.

You can also set the magicfile which shall be used by fileinfo with the 'magicfile' option. Additionally there are convenient setMagicFile() and getMagicFile() methods which allow later setting and retrieving of the magicfile parameter. This methods are available since Zend Framework 1.7.1.

Example #17 Using the MimeType Validator

  1. span style="color: #808080; font-style: italic;">// Limit the MIME type of all given files to gif images
  2. $upload->addValidator('MimeType''image/gif');
  3.  
  4. // Limit the MIME type of all given files to gif and jpeg images
  5. $upload->addValidator('MimeType''image/gif', 'image/jpeg');
  6.  
  7. // Limit the MIME type of all given files to the group images
  8. $upload->addValidator('MimeType''image');
  9.  
  10. // Use a different magicfile
  11. $upload->addValidator('MimeType''image',
  12.                             'magicfile' => '/path/to/magicfile.mgx'));

The above example shows that it is also possible to limit the accepted MIME type to a group of MIME types. To allow all images just use 'image' as MIME type. This can be used for all groups of MIME types like 'image', 'audio', 'video', 'text, and so on.

Note: Note that allowing groups of MIME types will accept all members of this group even if your application does not support them. When you allow 'image' you will also get 'image/xpixmap' or 'image/vasa' which could be problematic. When you are not sure if your application supports all types you should better allow only defined MIME types instead of the complete group.

Note: This component will use the FileInfo extension if it is available. If it's not, it will degrade to the mime_content_type() function. And if the function call fails it will use the MIME type which is given by HTTP.
You should be aware of possible security problems when you have whether FileInfo nor mime_content_type() available. The MIME type given by HTTP is not secure and can be easily manipulated.

NotExists Validator

The NotExists validator checks for the existence of the provided files. It supports the following options:

  • *: Set any key or use a numeric array. Checks whether the file exists in the given directory.

This validator accepts multiple directories either as a comma-delimited string, or as an array. You may also use the methods setDirectory(), addDirectory(), and getDirectory() to set and retrieve directories.

Example #18 Using the NotExists Validator

  1. span style="color: #808080; font-style: italic;">// Add the temp directory to check
  2. $upload->addValidator('NotExists''\temp');
  3.  
  4. // Add two directories using the array notation
  5. $upload->addValidator('NotExists''\home\images',
  6.                             '\home\uploads')
  7.                      );

Note: Note that this validator checks if the file does not exist in all of the provided directories. The validation will fail if the file does exist in any of the given directories.

Sha1 Validator

The Sha1 validator checks the content of a transferred file by hashing it. This validator uses the hash extension for PHP with the sha1 algorithm. It supports the following options:

  • *: Takes any key or use a numeric array.

    You can set multiple hashes by passing them as an array. Each file is checked, and the validation will fail only if all files fail validation.

Example #19 Using the sha1 Validator

  1. span style="color: #808080; font-style: italic;">// Checks if the content of the uploaded file has the given hash
  2. $upload->addValidator('sha1''3b3652f336522365223');
  3.  
  4. // Limits this validator to two different hashes
  5. $upload->addValidator('Sha1''3b3652f336522365223',
  6.                                    'eb3365f3365ddc65365'));

Size Validator

The Size validator checks for the size of a single file. It supports the following options:

  • min: Sets the minimum file size.

  • max: Sets the maximum file size.

  • bytestring: Defines whether a failure is returned with a user-friendly number, or with the plain file size.

    With this option you can define if the user gets '10864' or '10MB'. Default value is TRUE which returns '10MB'.

You can initialize this validator with a string, which will then be used to set the max option. You can also use the methods setMin() and setMax() to set both options after construction, along with getMin() and getMax() to retrieve the values that have been set previously.

The size itself is also accepted in SI notation as handled by most operating systems. That is, instead of specifying 20000 bytes, 20kB may be given. All file sizes are converted using 1024 as the base value. The following Units are accepted: kB, MB, GB, TB, PB and EB. Note that 1kB is equal to 1024 bytes, 1MB is equal to 1024kB, and so on.

Example #20 Using the Size Validator

  1. span style="color: #808080; font-style: italic;">// Limit the size of a file to 40000 bytes
  2. $upload->addValidator('Size'// Limit the size a given file to maximum 4MB and mimimum 10kB
  3. // Also returns the plain number in case of an error
  4. // instead of a user-friendly number
  5. $upload->addValidator('Size''min' => '10kB',
  6.                             'max' => '4MB',
  7.                             'bytestring'

WordCount Validator

The WordCount validator checks for the number of words within provided files. It supports the following option keys:

  • min: Sets the minimum number of words to be found.

  • max: Sets the maximum number of words to be found.

If you initiate this validator with a string or integer, the value will be used as max. Or you can also use the methods setMin() and setMax() to set both options afterwards and getMin() and getMax() to retrieve the actual set values.

Example #21 Using the WordCount Validator

  1. span style="color: #808080; font-style: italic;">// Limit the amount of words within files to maximum 2000
  2. $upload->addValidator('WordCount'// Limit the amount of words within files to maximum 5000 and minimum 1000 words
  3. $upload->addValidator('WordCount''min' => 1000, 'max' => 5000));

Zend_File_Transfer