Image update script extra functionality

Question

So I've wrote a script to upload user avatar into server and change url to it in database (thanks to YT tutorials :) ) And now I wish to make file check that user doesn't upload other files than JPG, JPEG, PNG, GIF and the ones which is bigger than 10MB. And the second thing I want to do is when user upload his avatar it removes the old one and changes name of the file to a randoom number..

So now I'm stuck a little bit and don't know where to begin could someone please help with it ? :) I could not find a usefull tutorial on google which would fit to this code as simple as possible..

The code I wrote so far;

if (isset($_POST['submit'])) {
$name = $_FILES['myfile']['name'];
$tmp_name = $_FILES['myfile']['tmp_name'];
$allowedExts = array("jpg", "jpeg", "gif", "png");

if ($name) {
    $location = "uploads/avatars/$name";
    move_uploaded_file($tmp_name, $location);

    $query = mysql_query("UPDATE users SET avatar = '$name' WHERE id = '$session_user_id'");
    echo 'Your avatar has been changed sucessfully!';
}else {
echo 'Please select a file! Following are supported; JPG, JPEG, PNG, GIF!';}

The answers have been given. However, I will add one bit: SANITIZATION. $_FILES['var']['name'] should not be trusted, as it is modifiable (and therefore, could very well include, say... `../../config.php`). — Sébastien Renauld, Nov 18 '12 at 17:35

score 0 · Answer 1 · answered Nov 18 '12 at 17:29

0

You should check the 'type' and 'size' fields of the $_FILE associative array to validate the type of file you are receiving (an image in your case) and the size of the file.

answered Nov 18 '12 at 17:29

Hernan Velasquez

2,770
14
21

Botond Balázs · Answer 2 · 2012-11-18T17:49:28.867

File size

Global limit

You can limit the file size globally in php.ini:

upload_max_filesize = 10M

Local limit

Alternatively, you can do something like this:

const('IMG_MAX_SIZE', 10485760); // 10 MB

if ($_FILES['file']['size'] > IMG_MAX_SIZE) {
    // display error message then exit
}
// save image

File type

It's not a good idea to check the extension

You could check the extension but this does not mean that the file is really of the type indicated by it. It can be a video renamed to .png.

Check the mime type reported by the client

To determine the real type, check the mime type the client has returned:

$allowed_types = array('image/png', 'image/jpeg', 'image/gif');
if (!in_array($_FILES['file']['type'], $allowed_types)) {
    // display error message (invalid file type) then exit
}

Determine the real mime type after saving

If you want to make it really sure that the file is of the correct type (the client can report whatever type it wants so malicious users can trick your script), check it after saving the file with Fileinfo:

http://php.net/manual/en/function.finfo-file.php

$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime_type = finfo_file($finfo, $filename) . "\n";
finfo_close($finfo);

if (!in_array($_FILES['file']['type'], $allowed_types)) {
    // display error message (invalid file type) then exit
}

fimas · Answer 3 · 2012-11-18T17:39:19.617

It looks like you're half way there. Just check the file extension against the $allowedExtensions array.

<?php
    if (isset($_POST['submit'])) {
    $name = $_FILES['myfile']['name'];
    $tmp_name = $_FILES['myfile']['tmp_name'];
    $allowedExts = array("jpg", "jpeg", "gif", "png");
    $isValidFormat = in_array(end(explode(".", strtolower($file['name']))), $allowedExtensions);
    $fileSize = $_FILES['myfile']['size'];
    $maxFileSize = 10485760; // == 10M
        if ($isValidFormat && $fileSize < 10485760) { // Changed the if statement
            if($_FILES['myfile']['file_size'])

            $location = "uploads/avatars/$name";
            move_uploaded_file($tmp_name, $location);

            $query = mysql_query("UPDATE users SET avatar = '$name' WHERE id = '$session_user_id'");
            echo 'Your avatar has been changed sucessfully!';
        }else {
            echo 'Please select a file! Following are supported; JPG, JPEG, PNG, GIF!';
        }
    }
?>

Samuel Cook · Answer 4 · 2012-11-18T17:53:13.617

if($_FILES){
    $allowedExtensions = array("jpg", "jpeg", "gif", "png");
    $f = $_FILES;

    foreach($f as $key=>$val){
        if(!empty($val['tmp_name'])){
            $ext = end(explode(".",strtolower(basename($val['name']))));

            if($val['size'] > 10485760){ // handle size
                echo 'Image is too large';
            }elseif(!in_array($ext,$allowedExtensions)){ // handle extension
                echo 'Please select a file! Following are supported; JPG, JPEG, PNG, GIF!';
            }else{
                $val['name'] = 'YOUR_RANDOM_FILE_NAME'.$ext;
                $location = "uploads/avatars/".basename($val['name']);

                if(move_uploaded_file($val['tmp_name'],$location)){ //handle upload

                    $query = mysql_query("UPDATE users SET avatar = '".$val['name']."' WHERE id = '$session_user_id'");
                    echo 'Your avatar has been changed sucessfully!';

                }else{
                    echo 'An error occured on upload.';
                }
            }
        }
    }
}