How to Allow or Block Certain File Extensions with File Uploads with Python in Django

In this article, we show how to allow or block certain file extensions during file uploads with Python in Django.

So imagine you create a file uploader form on your website so that users can uploads files.

However, you want to filter the type of files that can be submitted.

You may also want a user to be able to upload only certain types of files.

For example, maybe you just want the user to be able to upload PDF documents (.pdf) or Word documents (.doc or .docx).

Another example it is a video uploader form, you may only want the user to be able to upload .mp4, .webm, or .ogg files.

So how can this be done in Python in the Django framework?

And the best way to do this is just to create a custom function that validates what you want.

You would put this validator function in the validators.py file of the app that you're working with.

We'll show how to do all of this below.

We'll do 2 examples.

In one example, we create a validator function that only allows .pdf, .doc, and .docx files to be uploaded. This shows how to write a validating function that allows specific file extensions.

In another example, we create a validator function that excludes certain files from being uploaded. We'll write this function so that server-side language files are excluded. We'll specifically exclude .php and .asp files from being uploaded.

How to Allow Only Certain File Extensions to be Uploaded

So let's create a database table in the models.py file.

It will be a very simple table.

It will just have 2 fields, name (name of the file) and the file upload field (where a user can choose the file to upload).

from django.db import models from .validators import validate_file class File(models.Model): name= models.CharField(max_length=500) filepath= models.FileField(upload_to='files/', null=True, blank=False, verbose_name="", validators=[validate_file]) def __str__(self): return self.name + ": " + str(self.filepath)

So we create a database table called File.

We make it very simple.

We simply have name and filepath columns.

name represents the name of the file, such as the title of the file.

filepath represents the pathway to the file.

In this field, filepath, we make the field a FileField. We upload files to the files directory within the media directory. We set null equal t

We then create a __str__ function just so that a generic Object isn't returned when calling a file object.

Just remember that now that you have created the database table in the models.py file, you have to do all migrations, including makemigrations and migrate.

So this is the database table we are working with.

So now we have to create the validator function needed to validate that only PDF (.pdf) and Word (.doc or .docx) files can be uploaded.

Below is the validators.py file.

from django.core.exceptions import ValidationError def validate_file(value): value= str(value) if value.endswith(".pdf") != True and value.endswith(".doc") != True and value.endswith(".docx") != True: raise ValidationError("Only PDF and Word Documents can be uploaded") else: return value

So at the top of the validators.py file, we must import ValidationError from django.core.exceptions

Inside of this file, we specify the function validate_file that passes in the parameter, value.

Remember that the field we created is a FileField.

In order to work with the data in this field with built-in Python functions such as endswith(), we must convert the data to a string.

So we convert value to a string.

We then produce an if statement that if the file doesn't end with ".pdf" or ".doc" or ".docx", then we raise an error, providing the user with the statment, "Only PDF and Word Documents can be uploaded"

If the file ends in any of these, we return the file.

How to Block Certain File Extensions from Being Uploaded

So we showed above to allow certain file extensions to be uploaded.

But what if we want to allow all file extensions, except for a few.

In our code now, we will write code so that only PHP (.php) and ASP (.asp) files are blocked, because they are powerful server-side languages that raise security issues if allowed to be uploaded to a site.

We have the same database table as above.

The only thing we're doing now is writing a new validator function.

from django.core.exceptions import ValidationError def validate_server_language(value): value= str(value) if value.endswith(".php") == True or value.endswith(".asp") == True: raise ValidationError("PHP and ASP files cannot be uploaded for security reasons") else: return value

Remember to import this validator function into the models.py file, with the line, from .validators import validate_server_language, and then pass this function into the database field.

So with this new validating function, all files can be uploaded except for PHP files (.php) or ASP files (.asp).

If either PHP or ASP files are attempted to be uploaded, we output the error to the user, "PHP and ASP files cannot be uploaded for security reasons"

So this is a great way to allow or block certain file extensions in Python. It's great because you can customize what can pass in and what can't by creating your own custom functions.

And this is all that is required to create a file uploader form with Python and Django.

Related Resources

How to Create a Video Uploader with Python in Django

How to Create an Image Uploader with Python in Django