2

i have a edit page that allow users to upload a profile image using forms but the problem is that i keep getting the the format is not acceptable even if the image type is one of the accepted format.

this is the code

if(isset($_POST['parse_var']) == "pic")
    {
        if(!$_FILES['fileField']['tmp_name'])
        {
            $errorMSG = '<font color= "#FF0000">Please browse for an Image  Before you press the button.</font>';
        }
        else
        {
            $maxfilesize = 51200;//in bytes =  50kb
            if($_FILES['fileField']['size']>$maxfilesize)
            {
                $errorMSG = '<font color="#FF0000">Your image was too large, please try again.</font>';
                unlink($_FILES['fileField']['tmp_name']);
            }
            elseif(!preg_match("^.(gif|jpg|png)$/i^",$_FILES['fileField']['name']))
            {
                $errorMSG = '<font color="#FF0000">Your Image was not one of the accepted format, please try again</font>';
                unlink($_FILES['fileField']['tmp_name']);
            }
            else
            {
                $newname = "image01.jpg";
                $place_file = move_uploaded_file($_FILES['fileField']['tmp_name'],"members/$id/".$newname);
                $message='<font color="#00FF00>Your Image has been upload successfully</font>';
            }
        }//end else

    }//end if
Improve this question
0

1 Answer 1

Reset to default
4

Major problems:

a)

        elseif(!preg_match("^.(gif|jpg|png)$/i^",$_FILES['fileField']['name']))
                            ^---

you should not be using a regex metachar as the pattern delimiter. Try

preg_match('/\.(gif|jpg|png)$/i', ...) instead.

But in a bigger picture view, you shouldn't be matching on filenames at all. Filenames can be forged. You should be doing server-side MIME-type determination (e.g. via file_info()) instead.

b)

you are NOT properly checking for upload success. The presence of a ['tmp_name'] in the $_FILES array means NOTHING. failed uploads can STILL produce a tmp_name, yet you end up with garbage. Always use something like this:

if ($_FILES['fileField']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['fileField']['error']);
}

the error codes are defined here: http://php.net/manual/en/features.file-upload.errors.php

c) (minor)

you do no need to unlink the temp files. PHP does that automatically when the script exits.

d) (stylistically HUGE error)

font tags? in 2013? The 1990s called and want their HTML 1.0 back...

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

easy on me i am new to the web development and it is the first time i use the upload function
i just have a question how to show the path of the selected image ??
the only path you'll see is the temporary path to the image, not the actual path on the users local machine. its a security measure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.