12

I have a simple PHP upload script I have started. I am not the best to PHP. Just looking for some suggestions.

I want to limit my script to only .JPG, .JPEG, .GIF and .PNG

Is this possible?

<?php
/*
    Temp Uploader
*/

    # vars
    $mx=rand();
    $advid=$_REQUEST["advid"];
    $hash=md5(rand);

    # create our temp dir
    mkdir("./uploads/tempads/".$advid."/".$mx."/".$hash."/", 0777, true);

    # upload dir
    $uploaddir = './uploads/tempads/'.$advid.'/'.$mx.'/'.$hash.'/';
    $file = $uploaddir . basename($_FILES['file']['name']);

    // I was thinking of a large IF STATEMENT HERE ..

    # upload the file
    if (move_uploaded_file($_FILES['file']['tmp_name'], $file)) {
      $result = 1;
    } else {
      $result = 0;
    }

    sleep(10);
    echo $result;

?>
Improve this question
1

5 Answers 5

Reset to default
49

Yes, quite easily. But first off, you need some extra bits:

// never assume the upload succeeded
if ($_FILES['file']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['file']['error']);
}

$info = getimagesize($_FILES['file']['tmp_name']);
if ($info === FALSE) {
   die("Unable to determine image type of uploaded file");
}

if (($info[2] !== IMAGETYPE_GIF) && ($info[2] !== IMAGETYPE_JPEG) && ($info[2] !== IMAGETYPE_PNG)) {
   die("Not a gif/jpeg/png");
}

Relevant docs: file upload errors, getimagesize and image constants.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Beat me to it - this method makes sure the file is an image, not just named like an image.
The only caveat is that GD is not oob for PHP and can be finicky. finfo_file is standard in PHP after version 5.3.0 and will do a content-based check as well.
How can I check the file resolution too? IE Size if width and height??
"Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead." See php.net/manual/en/function.getimagesize.php
This is BAD and opens up your site to potential remote code execution. Anyone can put exactuable code inside the image header (where the metadata is stored and text is considered valid) and getimagesize will still think it is an image, thus accepting the file and potentially allowing PHP code to be executed server side. Use mime_content_type instead.
|
6

File path isn't necessarily the best way to check if an image really is an image. I could take a malicious javascript file, rename it to have the .jpg extension, and upload it. Now when you try to display it in your website, I may have just compromised your site.

Here is a function to validate it really is an image:

<?php
  function isImage($img){
      return (bool)getimagesize($img);
  }
?>
Improve this answer

1 Comment

Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead. - Docs
5

try this:

<?php

function isimage(){
$type=$_FILES['my-image']['type'];     

$extensions=array('image/jpg','image/jpe','image/jpeg','image/jfif','image/png','image/bmp','image/dib','image/gif');
    if(in_array($type, $extensions)){
        return true;
    }
    else
    {
        return false;
    }
}

    if(isimage()){
        //do codes..
    }

?>
Improve this answer

2 Comments

Your post was flagged as low quality because it was all code. Try explaining what you did.
This was my easiest and worked
-1

Or take a look at: http://php.net/manual/en/function.pathinfo.php

Improve this answer

Comments

-3 
if (substr($_FILES["fieldName"]["name"], strlen($_FILES["fieldName"]["name"])-4) == ".jpg")
{
    if(move_uploaded_file($_FILES["fieldName"]["tmp_name"],$path."/".$_FILES['fieldName']['name']))
    {
        echo "image sucessfully uploaded!";
    }
}

similarly you can check for other image formats too.

Improve this answer

1 Comment

You're assuming the remote user is not malicious and won't just rename nastyvirus.exe to cutekittens.jpg.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.