An "onchange" on the file input doesn't seem to work (at least in my version of Firefox), so I recommend an "onsubmit" for the form, as follows:

onsubmit='if (!this. uploadFile. value. match("\.swf$")) { alert("File must be .swf"); return false;}'>


Select the file:

It won't prevent them from selecting a non-.swf, but it will alert them and block the submit when they try to submit (if javascript is enabled).



Of course, everybody else's points about server-side security and never trusting anything from the client are still valid.

Basically, you cannot restrict the files that are uploaded from the client. Even if you examined the file name to block all but .swf file extensions, and to set the mime-type (just a piece of meta-data that identifies the type of content) in the HTTPRequest that is submitted from the browser (containing the file), the fact is that anyone can try to upload malware and just change the filename to pass your check.



This is the risk with file upload - you cannot restrict what the browser uploads to your web site. You must implement the smarts on the server side to detect malware that may be uploaded. This includes files that are so large they may bring down your server. Once you receive the file, you will need to implement several checks such as file size (determine a limit you will accept), and you should use anti-virus software on your server with an API that allows you to programmatically call a scan function on the uploaded file contents.



You must implement the security on your side.

you will have to tweek the script but this should help you



--

-- Table structure for table `mime_types`

--



DROP TABLE IF EXISTS `mime_types`;

CREATE TABLE IF NOT EXISTS `mime_types` (

`id` int(11) NOT NULL AUTO_INCREMENT,

`extension` varchar(5) NOT NULL,

`type` varchar(100) NOT NULL,

`aud_vid` int(11) NOT NULL,

`access_type` int(1) NOT NULL,

PRIMARY KEY (`id`)

) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=41 ;



--

-- Dumping data for table `mime_types`

--



INSERT INTO `mime_types` (`id`, `extension`, `type`, `aud_vid`, `access_type`) VALUES

(1, '.au', 'audio/basic', 1, 1),

(2, '.avi', 'application/x-troff-msvideo', 1, 0),

(3, '.bm', 'image/bmp', 0, 1),

(4, '.bmp', 'image/bmp', 0, 1),

(5, '.doc', 'application/msword', 0, 0),

(6, '.flp', 'application/FruityLoops Project', 1, 1),

(7, '.gif', 'image/gif', 0, 1),

(8, '.gz', 'application/x-gzip', 0, 0),

(9, '.gzip', 'application/x-gzip', 0, 0),

(10, '.jpe', 'image/jpeg', 0, 1),

(11, '.jpeg', 'image/jpeg', 0, 1),

(12, '.jpg', 'image/jpeg', 0, 1),

(13, '.kar', 'audio/midi', 1, 1),

(14, '.mid', 'audio/midi', 1, 1),

(15, '.mov', 'video/quicktime', 1, 0),

(16, '.mp2', 'audio/mpeg', 1, 1),

(17, '.mp3', 'audio/mpeg3', 1, 1),

(18, '.mpa', 'audio/mpeg', 1, 1),

(19, '.mpe', 'video/mpeg', 1, 1),

(20, '.mpeg', 'video/mpeg', 1, 0),

(21, '.mpg', 'video/mpeg', 1, 0),

(22, '.pdf', 'application/pdf', 0, 0),

(23, '.png', 'image/png', 0, 1),

(24, '.ppt', 'application/mspowerpoint', 0, 0),

(25, '.qt', 'video/quicktime', 1, 0),

(26, '.ra', 'audio/x-pn-realaudio', 1, 1),

(27, '.ram', 'audio/x-pn-realaudio', 1, 1),

(28, '.rmi', 'audio/mid', 1, 1),

(29, '.rtx', 'application/rtf', 0, 0),

(30, '.swf', 'application/x-shockwave-flash', 0, 0),

(31, '.tif', 'image/tiff', 0, 1),

(32, '.tiff', 'image/tiff', 0, 1),

(33, '.txt', 'text/plain', 0, 0),

(34, '.wav', 'audio/wav', 1, 1),

(35, '.wma', 'audio/x-ms-wma', 1, 1),

(36, '.wmv', 'video/x-ms-wmv', 1, 0),

(37, '.xls', 'application/excel', 0, 0),

(38, '.zip', 'application/zip', 0, 0),

(39, '.mp3', 'audio/x-mpeg', 1, 1),

(40, '.ppt', 'application/vnd.ms-powerpoint', 0, 0);



//Check to see if MIME is authorized

$this->type = $_FILES['file_to_upload']['type'];

$this->query_string = "SELECT * FROM mime_types WHERE type='$this->type'";

$this->query = mysql_query($this->query_string);

$this->num_rows = mysql_num_rows($this->query);

if($this->num_rows == "")

{

$this->file_form($UserInput);

echo "";

$this->Error == true;

exit;

}

else

{

$this->mime_info = mysql_fetch_assoc($this->query);

$UserInput['file_access'] = $this->mime_info['access_type'];

}

why you can check file type with php, can you using javascript to detect the file extension with out swf.



check file type .swf format or application/octect-stream



Method 1:

$file = $_FILES["htmlcontrolname"];



if(end(split(".", $file["name"])) == "swf")

or

if($file["type"] == "application/octect-stram")