0

Possible Duplicate:
How can I only allow certain filetypes on upload in php?

How can I make the script below only allow .jpg images or .png images? It uploads an image directory to a mysql table based on a session username match. Is it possible to restrict the file types? Because I only need .jpg or .png

 if ($_POST['submit']) {
    //get file attributes

    $Name = $_FILES['myfile']['name'];
    $tmp_name = $_FILES['myfile']['tmp_name'];
    error_reporting(E_ERROR | E_PARSE);

    if ($Name) {            
    $location = "avatars/$Name";    
    move_uploaded_file($tmp_name, $location ) or die('Failed to upload picture'); 
    $query = mysql_query("UPDATE fgusers3 SET imagelocation='$location' WHERE name='$name'") or die("Your profile image has been uploaded!");

   }}



echo "Upload your image below:
  <form action='profilepic.php' method='POST' enctype='multipart/form-data'>
   Profile Picture: <input type='file' name='myfile'> <input type='submit' name='submit' value='upload'>
   </form>";
Community
  • 1
  • 1
James Sables
  • 1
  • 1
  • 2

6 Answers6

1

You can try using pathinfo & exif_imagetype

if(pathinfo($Name,PATHINFO_EXTENSION) != "jpg" || exif_imagetype($Name) != IMAGETYPE_JPEG)
{
    // throw error 
}

See More Info to detect Fake Images

Community
  • 1
  • 1
Baba
  • 94,024
  • 28
  • 166
  • 217
1
if($_FILES){
    $allowedExtensions = array("jpg","png");

    foreach($_FILES as $key=>$val){
        if(!empty($val['tmp_name'])){
            $ext = end(explode(".",strtolower(basename($val['name']))));
            if(in_array($ext,$allowedExtensions)){
                $file = 'PATH_TO_UPLOAD'.basename($val['name']);

                if(move_uploaded_file($val['tmp_name'],$file)){
                    //SUCCESS_MESSAGE
                }
            }else{
                //FAIL_MESSAGE
            }
        }
    }
}
Samuel Cook
  • 16,620
  • 7
  • 50
  • 62
1

You can use exif_imagetype($tmp_name) to check the actual type of the file based on its header. This checks the type based on the contents of the file, so it is the most reliable (e.g. it will give you the right information even if somebody gives you a JPG with a ".png" extension).

There is also the type property ($_FILES['myfile']['type']), which will give you the MIME type that the browser claims the file is. However, this cannot be trusted if someone maliciously forges the request.

Jakub Wasilewski
  • 2,916
  • 22
  • 27
0
$whitelist = array(".jpg",".png");
foreach ($whitelist as $item) {
  if(preg_match("/$item\$/i", $_FILES['uploadfile']['name'])) {
    $uploaddir='uploads/uploads_image/';
    // or code
  }
}
Majid Fouladpour
  • 29,356
  • 21
  • 76
  • 127
StaticVariable
  • 5,253
  • 4
  • 23
  • 45
0

$imageType = getimagesize($tmp_name); switch ($imageType['mime'] != "image/jpg" OR $imageType['mim'] != "image/png") { //error code here. }

It is a bit safer than checking the extension, as the extension can be changed easily. The mime type can be changed as well but requires more knowledge xD

aleation
  • 4,796
  • 1
  • 21
  • 35
0

Of course, you can limit by file extension, but it's not safe. You can try rename a gif-file and upload it. A little bit safer is using mime-type to detect file type (but still no guarantee). Look at: How do I find the mime-type of a file with php?

I think more safer is trying to get size of image or if convert to another image type is successful.

Community
  • 1
  • 1
Anton Bessonov
  • 9,208
  • 3
  • 35
  • 38