Check File Upload extension (PHP/Jquery/Javascript)

Question

As title which of them is better and why? Any weaknesses from doing it? I been hearing that Jquery/Javascript checking is bad and adviced to use PHP but somehow don't know why....

Need some recommend from any of you. Thanks in advance.

Anyone see if this is good or bad:

<input type="file" name="task_doc" class="task_doc"  onChange="checkext();"/>

function checkext(){
var permittedFileType = ['pdf', 'doc', 'docx', 'xls', 'xlsx'];
var fext = $(".task_doc").val().split('.').pop().toLowerCase();
var resultFile = validate_filetype(fext, permittedFileType);
    if(resultFile === false){
         $(".task_doc").replaceWith("<input type='file' name='task_doc'    class='task_doc'  onChange='checkext();'>");
        alert("Invalid Extension");

    }
    else{
        alert("Success");
    }
}

function validate_filetype(fext, ftype)
{
    for(var num in ftype)
    {
        if(fext == ftype[num])
            return true;
    }

    return false;
}

Answer 1

If you use only javascript to check for data-validity, advanced users will have the possibility of uploading any data they want.

On the other hand using javascript might be a convenient way for the user to get fast feedback, if his entered data (files in this case) is invalid.

So I suggest using both client side and server side scripts.

Answer 2

You have to assume that any outside data is tainted and could be malicious. A user could disable JavaScript and send any file they want. Or a user could send a file to the server and change the MIME type and/or extension to bypass checks on the server as well.

Your best bet is to make sure your server is set up to correctly handle the various MIME types and not by default parse unknown file types as PHP. In other words, don't set Apache to handle anything but .php files as PHP and block .php files from being uploaded at all. Handling file uploads is a sticky situation at best, security-wise. I would highly recommend saving uploads outside of your document root directory, renaming them to a random string that only you know (ie on upload store the random name in a database), then send the file via PHP to the browser.

header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($filename));
header('Content-Transfer-Encoding: binary');
readfile($filename);

I recommend doing this because storing them outside the document root prevents access, using a unique filename stops somebody from directly accessing it, and forcing a download (should) prevent any auto execution of a malicious file so hopefully the user's anti-virus could find it....