1

I am trying to upload an image with this script. Bit it keeps giving me this error: The file you attempted to upload is not allowed. And the files that i tried to upload where jpg and png.

Can someone tell whats going wrong?

if(isset($_POST['upload'])) {

$allowed_filetypes = array('.jpg','.jpeg','.png','.gif');
$max_filesize = 10485760;
$upload_path = 'images/tekeningen/';
description = $_POST['imgdesc'];

$filename = $_FILES['userfile'];
$ext = substr($filename, strpos($filename,'.'), strlen($filename)-1);

if(!in_array($ext,$allowed_filetypes))
die('The file you attempted to upload is not allowed.');

if(filesize($_FILES['userfile']) > $max_filesize)
die('The file you attempted to upload is too large.');

if(!is_writable($upload_path))
die('You cannot upload to the specified directory, please CHMOD it to 777.');

if(move_uploaded_file($_FILES['userfile'],$upload_path . $filename)) {
$query = "INSERT INTO uploads (description) VALUES ($filename, $description)"; 
mysql_query($query);

echo 'Your file upload was successful!';


} else {
echo 'There was an error during the file upload.  Please try again.';
}
}
Improve this question
2
  • 2
    var_dump($ext); and you will find it out . Commented May 17, 2014 at 10:30
  • Your script will fail when there are . in your filename, you should get the extension like this : $ext = pathinfo($filename, PATHINFO_EXTENSION); Commented May 17, 2014 at 10:37

2 Answers 2

Reset to default
2

You should use 

$filename = $_FILES['userfile']['name'];

instead of 

$filename = $_FILES['userfile'];

this 

filesize($_FILES['userfile']['tmp_name'])

instead of

filesize($_FILES['userfile'])

this 

move_uploaded_file($_FILES['userfile']['tmp_name'],$upload_path . $filename))

instead of this

move_uploaded_file($_FILES['userfile'],$upload_path . $filename))

Refer this tutorial

For security reason

You should not use check only extension.

Instead of checking extension only check MIME type also.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You did not properly get your extension. Your script is not going to work when the filename contains ..

To get the file extension, I would recommend this

$ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));

and removing the . in your allowed extensions like so :

$allowed_filetypes = array('jpg','jpeg','png','gif');
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.