0

I am creating my own website at http://harrisonprograms.com and I have a problem on the profile page.

The problem is I have created a PHP script that will upload an image to the server for example the image directory might be Users/whatevertheusername/imagename.png and then add a string reference to it in MySQL on the users MySQL row. However before the script performs this it checks if the file uploaded is an image file using the substring function, I can't post an image because my reputation isn't high enough so here's the code in text

if(isset($_POST['SUBMITFILE2'])){

$imageName = $_FILES['UPLFILE2']['name'];
$imageData = file_get_contents($_FILES['UPLFILE2']['tmp_name']);
$imageType = $_FILES['UPLFILE2']['type'];

//VALIDATE WHETHER FILE IS AN IMAGE OR NOT
if(substr("$imageName", 0, 5) == 'image'){

The thing I can't understand is it used to work and validate if the file was an image or not but now it has stopped working and I don't know why.

Improve this question
8
  • 5 lines of code; that's it? Add error reporting to the top of your file(s) right after your opening <?php tag error_reporting(E_ALL); ini_set('display_errors', 1); see if it yields anything Commented Sep 30, 2014 at 20:39
  • your substr() is actully using the string "$imageName" not the variable. and even if it did the name of the image is not much help - you say this actully worked once ? Commented Sep 30, 2014 at 20:42
  • I'm not sure if I clearly understand your problem, but you check if uploaded file is an image by checking its name? So if I upload file called imagename.pdf it also pass your validation? Commented Sep 30, 2014 at 20:43
  • 4
    imageVIRUS.exe - yup that's fine :-) Commented Sep 30, 2014 at 20:44
  • It said that the file_get_contents() Filename cannot be empty Commented Sep 30, 2014 at 20:45

3 Answers 3

Reset to default
3

So the checking file type by name or extension is not good, because you can easily change it by plain remane function. You can check if uploaded file is an image using e.g. mime type. In php you have function mime_content_type(). Example of usage:

$imageMimeTypes = array(
    'image/png',
    'image/gif',
    'image/jpeg');

$fileMimeType = mime_content_type($_FILES['UPLFILE2']['tmp_name']);

if (in_array($fileMimeType, $imageMimeTypes)) {
    //passed validation 
}

Of course you can define more mime types of images.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you marian this was very helpful It helped determine if the file was an image or not and now I can add more image types if I like, I also have learnt something about uploading files thank you.
0

you can use exif_imagetype to Determine the type of an image

Improve this answer

Comments

0

Pretty sure you can find your answer here : php check file extension in upload form

$allowed =  array('gif','png' ,'jpg'); //extension allowed
$filename = $_FILES['video_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
    echo 'error';
}else{
//your extra code...
}
Improve this answer

2 Comments

Don't see your point, if he only want image format type to be uploaded this will work just fine.. if you take a .txt or a .exe and change the extension to a .png, sure it's will pass but it's will just be a broken png. Now if you can enter on the server change back the extension to .exe then run it, it's another story!
I will try this in a sec but it says my input file is undefined and I know why.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.