0

I am trying to check that an uploaded image is a PNG, JPG or GIF and not just check the file extension. I am trying the following: 

$allowed_types = array (IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
$detectedType = exif_imagetype($_FILES['file_to_upload']['tmp_name']);
    if ( !in_array($detectedType, $allowed_types) ) {
        die ( 'Please upload a pdf or an image ' );
    }


//code to handle image

However I am receiving an alert even if it is an image. Can anyone point me towards why?

spbrad
  • 33
  • 7
  • Why downvote without any comment? – spbrad Apr 24 '17 at 17:09
  • Possible duplicate of [php check file extension in upload form](http://stackoverflow.com/questions/10456113/php-check-file-extension-in-upload-form) – shaggy Apr 24 '17 at 23:01
  • @shaggy i was trying to find out the extension from exif data, not by stating the names of the allowed extensions in an array so not duplicate – spbrad Apr 25 '17 at 00:47
  • using mime type [is not accurate](http://stackoverflow.com/questions/7349473/php-file-upload-mime-or-extension-based-verification), why do you want to use it? – shaggy Apr 25 '17 at 08:38
  • @shaggy, to be suer that the files are actual image files and not a malicious file that has been given the extension .jpg, .png etc. How would you suggest the correct way if this is wrong? – spbrad Apr 25 '17 at 12:40
  • Your code is the way how you get uploaded malicious file. Look at my previous comments, there is the right solution (both links). – shaggy Apr 25 '17 at 16:02

1 Answers1

1

should have been: 

 $allowed_types = array (IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
 $detectedType = exif_imagetype($_FILES['file']['tmp_name']);
    if ( !in_array($detectedType, $allowed_types) ) {
    die ( 'Please upload a pdf or an image ' );
  }
spbrad
  • 33
  • 7