Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by phppup

  1. And I thought this was gonna be easy. LOL

    Is this a correct and effective use for security:


    foreach ($_FILES['files']['tmp_name'] as $key => $value)  { 

            if( !empty($value) && is_uploaded_file( $value )){
                //FILE is REAL
                return true;


    Does getimagesize() serve any purpose beyond obtaining the MIME type?

    How do I re-create a TIFF file?

  2. Quote

    foreach ($_FILES['files']['tmp_name'] as $key => $value)  { 

            if( !empty($value) && is_uploaded_file( $value )){
                //FILE is REAL
                return true;


    Is there a way to test it's functionality?

    Best way to ensure a TIFF is truly an image file?

  3. I've got the is_uploaded_file in place.

    Let's assume a user attempts to upload several images and the second file is an empty NOT-uploaded file.

    Is it safe to CONTINUE my loop and rename the other files?
    Or is it more advisable to BREAK the loop immediately.

    Getting back to my initial thread, for file authentication, what is the equivalent to imagecreatefromjpeg for a TIFF file?
    What's the best way to handle them to minimize vulnerability?

  4. Quote

    Would an enormous overload of memory generally be a maliciously inspired? Or simply a by-product of a particular image's content?

    Yes to both, huh?  Interesting


    string is exactly equal to the size of the file.

    Got it.

    I suppose every pixel is individually represented.

    I wasn't sure if the inner workings of an image allowed for coding that might say "each corner is black" or "top half is blue."

    A few lines of code can create miles of resulting data, but I guess an image file is more literal in it's formatting.

    Although there must be a differentiation somewhere down the line.  A camera can be set to take the same photo at different file size or different quality settings (what's the best combination when trying to budget a memory card?)

    And yet, the same photograph will produce a different file size when created in raw, jpg, or others. But that's probably a different chapter. LOL

  5. Quote

    My point is that there is a function to load any supported image type from a string, so why not a function to load any supported image type from a file too?

    I'll take a stab at this and say that a string becomes somewhat universal, but a file has stricter parameters that dictate it's handling.

    I would also suspect that while the average user accepts whatever file is afforded, there are probably pros and cons from an artistic/ photo/ graphic perspective and different image file types offer quality and access benefits.


    Because the size of an image file does not correlate with the size of the image it contains

    Would an enormous overload of memory generally be a maliciously inspired? Or simply a by-product of a particular image's content?

    Will resizing an image to a smaller file size automatically reduce it's maximum display size? It's color quality? Pixel saturation?

    I've not truly figured out what is being reduced and how the file is effected.

    So if an image file is stored in a db (not my intention, but I've seen many examples) is the file stored or is it translated into a string?  Is the 'size' of a string generally smaller than the image file it supports?

  6. Quote




    Is there a "imagecreatefromfile" that's like imagecreatefromstring but works on files directly?

    No. Why not?

    Because as long as you know the type of file your chasing, you can select the appropriate imagecreatefrom... command!

    (Not gonna ask what happens if you use the wrong one... LoL)


    For sufficiently small images...

    I was planning to resize images AFTER the upload. So image size is an unknown.

    With that in mind, I will try to maximize the allowable file size, but I'm guessing even that has limitations (regardless of my intentions for the new file)?

  7. My confusion deepens.

    It seems as if imagecreate and imagecreatefromjpeg would be cousins, with ...from jpeg being more appropriate for validation.  Am I correct in assuming that each extension needs is own ...createfromXYZ for accurate info?

    is_uploaded_file seems as if it's çlosing the barn after the horse has escaped.  If it returns FALSE, but already has a tmpname, isn't the damage already underway? Does not working/moving the particular file "save the day"?

    So we're talking non-PHP coding to validate BEFORE upload (if I choose to be ultra user-friendly?

    I appreciate your help, but regarding getimagesuze, PHP.net has a CAUTIONARY note stating: 


    Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution 

    Thus, my confusion escalates.

  8. Secret doing some reading too educate myself, I am now more confused than before. LoL

    Trying to understand the most effective method to verify that an image is truly what is claimed.

    But the differences between using imagecreate, imagecreatefromjpeg, and is_uploaded_file are not easily noticed.

    Likewise, I read that it is best to check the image BEFORE uploading. But isn't the image already uploaded when submitted (although not yet moved or renamed)?

  9. On a somewhat related issue, I've seen a lot of 'ideas' floated "on the internet" and was wondering about this:



    echo "<script> alert('test');



    In this snippet, does PHP move the JavaScript code for client side accessibility? Or does this example add an additional burden to the server by transferring JS requirements to a server side function?

  10. While working with some PHP (contained within the same webpage) it occurred to me that using JavaScript to evaluate a form submission could alleviate server traffic; it seemed like a good idea that if the form was incomplete the JS could terminate the form and the PHP would never be run.

    As a preliminary step, i adapted this code



    document.getElementById("btn").addEventListener("click", displayDate);

    function displayDate() {

    alert (Date());  
    return false;


    My expectation was that when BTN was clicked, the ALERT would fire, and RETURN false would prevent other processes from running (similar to a DIE() in PHP).

    Instead, the ALERT was triggered, but my PHP error/confirm msgs followed.

    Rather than leave the validation to PHP, i thought I'd ask for some insight here.


  11. Thanks.

    After some thought, I kinda realized that the starting point coincided with the submittal click. I guess it was too obvious to see initially. LOL

    In playing a bit, I did find that the GIF vanishes of its own, but I thought it was a flaw of some sort, so thanks for the extra info.

  12. Thanks for the explanation. That would so seem to make sense.

    So back to the question:  how do I access the beginning and end of this gap (in order to add a loading GIF?


    [If I'm understand correctly, if I select IMG62, and then IMG01, and then IMG23, my end result (while named sequentially) will be mismatched because of the order they were selected]

  13. I suppose one advantage to having a slow internet connection is that it allows me to see potential issues from a unique perspective.

    With that in mind, I've noticed that selecting images to upload is nearly instantaneous, regardless of size or quantity.

    However, these factors become enormous after clicking the upload button.

    There seems to be a gap between the clicking of the button and the actual start of the upload process.

    (Is the server actually organizing the files and preparing the selected files in the array?)

    The question is, how do I access the beginning and end of this gap (in order to add a loading GIF?

    Essentially, the page is already loaded. It's the file processing/compilation that I'm trying to intercept (or piggy-back).

    Also, can I control which files are uploaded first, second, etc.?

    I know I can change file names, but can I control the order of the actual upload.

    Ex: uploading IMG01, IMG23, IMG62.

    Desired renaming my01, my02, my03, respectively.

    I've tried beginning my PHP script with:


    But the actual uploading seems to be random.

  14. As mentioned, it's a hold-over of an old habit (although my database will probably be restructured next. LOL)

    Still, the double quotes were the only choice that didn't cause an error message.

    How do I get the variable in there? Or is it even worthwhile?

  15. After deciding to venture into the realm of prepared statements, I have this line in my script


    if ($stmt = $conn->prepare('SELECT username FROM users WHERE username = ?')) {

    Everything was working fine. 

    I reviewed my code to adjust it to my old habits, and realized that I had hardcoded the TABLE NAME rather than using a variable.

    I updated my code to


    $table = "users";

    if ($stmt = $conn->prepare('SELECT username FROM $table WHERE username = ?')) {

    and results from my SELECT statement vanished.

    Is the use of a variable for a table's name outdated? Even possible??

  16. Got it.

    (should names be case sensative)

    But AJAX is client side, so sanitizing is still highly recommended within PHP for the server side, right?

    On a related note, I've seen sanitizing examples that trim or remove HTML characters. Shouldn't an entry with such problems simply be rejected rather than repaired?

    Are the PHP sanitizing filters reliable on their own (to replace all the code that was required in the past)?

  17. Thanks. Any other basic tutorial links would be helpful too.

    While developing my script, I noticed that the username is NOT case sensative.

    (There is NO string-to-lowercase in my code, yet it is acting as if it exists)

    Did I miss a step in my database or table?

    Should username disallow case differences (which would limit the number of potential combinations)?

    Passwords come to mind too, of course.

  18. I'm new to AJAX, and I'm working with some 3rd party code as a learning tool.

    Came across this section but:


        type: "POST",  
        url: "my_code.php",  
        data: "username="+ usr,  
        success: function(msg){  

    I would prefer NOT having a my_code.php file, but rather to include the PHP code as part of the single file that already contains all the other scripting.

    Can this be achieved? What do I need to put in the URL line to direct it to self-examine?

    Pros and cons of proceeding this way?


    Thanks folks.

  19. I'm no expert, but in an effort to assist, I would think some simple troubleshooting is in order.

    For starters, your code says:

    if($mail->send()){ header('Location: thank-you.html'); // redirect to 'thank you' page

    } else {

    $errorMessage = 'Oops, something went wrong. Mailer Error: ' . $mail->ErrorInfo;



    So, my first question is: After you send a test email do you EITHER get redirected to the Thank You page OR see the ERROR?

    The answer to this question should at least get you started in a direction with analysis.

    PS: Experience has taught me to check inbox and SPAM folders. Also, there is sometimes a delay on receiving emails from strange addresses depending on your service provider.

  20. I'm not even sure I understand the question, BUT it seems from


    return an error message "Invalid parameter(s) for the date!" if passing an invalid parameters to this function.

    that you need to write a function that will analyze the calendar entries.

    The depth to which you go is up to you, but for starters you would need to determine which months have 30 days and which have 31. 

    Just as there would be no acceptable MONTHS > 12, there is also no date of September 31 or October 32.

    Of course, February and Leap Years will be the biggest challenge.

    My solution: Tell the instructor that all inputs will come from drop-down menus and go get a coffee.

  21. Yup. Already realized that, and appreciate the insight.

    But aside from a message/disclaimer advocating that the user "Hurry before the name is removed" there's really not much else to be done.

    [I suppose I could INSERT the name immediately and DELETE it if registration isn't completed within a given timeframe, but that seems like a lot of work in the babe of "convenience"... LOL]

    I guess the overriding questions are still: is it worth the effort? Does it compromise the website's security?

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.