4

I'm trying to create user avatars. I'm just trying to make sure its secure. What is the best way to check if the file is an actual image, and not anything else.

I've tried this

$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";

    } else {
        echo "File is not an image.";
    }

Although this seems to work on some images, but other images like photos seem to make it fail. Photos that i've taken with my phone seem to make it appear with "File is not an image" while others make it appear with an image.

I've also been checking the file formats

if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";

}
Improve this question
1
  • 1
    you have $imageFileType=$_FILES["fileToUpload"]["type"] . Commented Jan 26, 2017 at 4:11

3 Answers 3

Reset to default
2

You can use the php5 function

mime_content_type ( string $filename )

Php doc here: http://php.net/manual/fr/function.mime-content-type.php

This will return, for example, "image/jpg". Parse the result, and voilà! This way you don't have to go through all the different types.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can use getimagesize() directly and it will return zero value for files that are not images.

Improve this answer

4 Comments

It shows an error whenever I upload certain photos though
Use $img = @imagecreatefromstring (@file_get_contents($path_to_img)); if the result is false, your uploaded file is not an image.if true, boom!!
sorry for mentioning getimagesize() again and, the issue you are facing because of meta tags of image. bcoz most of images consist of hidden meta tags and due to that your result is not accurate, but imagecreatefromstring will do the trick
"Caution: This function expects filename to be a valid image file. If a non-image file is supplied, it may be incorrectly detected as an image and the function will return successfully, but the array may contain nonsensical values. Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead." - php.net/manual/en/function.getimagesize.php
-1 

<?php
$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if($check !== false) {
        echo "File is an image - " . $check["mime"] . ".";
        $uploadOk = 1;
    } else {
        echo "File is not an image.";
        $uploadOk = 0;
    }
}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry, file already exists.";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large.";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.";
    }
}
?>

Improve this answer

1 Comment

Downvoted for copy/paste of W3Schools page. That's the code most people finding this are trying to troubleshoot...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.