Uploading Images - Mime Types

[Jmz]

I'm making an image upload script, I only want the user to be able to upload jpg, gif and png images.

 

To enforce this I first check the file extension, then I want to check the mime type of the image. However I seem to be running into some problems, when I have tried to debug my script it seems that some images (according to the script) have blank mime types but when I have tried uploading the image on an image upload site it works fine.

 

Does anybody have a tried and tested method of getting an uploaded files mime type and checking it is an image?

[The Little Guy]

$image = 'my/images/image.jpg';
if(!getimagesize($image)){
     // This is an invalid image
}else{
     // This is a valid image
}

[craygo]

Some code may help to see what you have.

[discomatt]

Mime-types are defined by the browser, so they can't be trusted anyways

 

Try making a simple script like this

 

<?php

if (  empty( $_FILES )  )

echo <<<FORM
<form enctype="multipart/form-data" action="" method="POST">
    <input type="hidden" name="MAX_FILE_SIZE" value="300000" />
    Send this file: <input name="userfile" type="file" />
    <input type="submit" value="Send File" />
</form>
FORM;

else

print_r( $_FILES )

?>

[Jmz]

I've tried a few different ways but none have seemed to work so far. Basically they have consisted of getting the mime type and then comparing it against an array of allowed mime types.

 

$mimetype = strtolower($_FILES['uploadedfile']['type']);
$mimetypes = array('image/jpeg', 'image/png', 'image/pjpeg', 'image/gif');

if (in_array($mimetype, $mimetypes)){

}else{
die("mime type not allowed");
}

 

and

 

 

$mimetype = shell_exec(escapeshellcmd ("file -bi ".$FILES['uploadedfile']['tmp_name']));
$mimetypes = array('image/jpeg', 'image/png', 'image/pjpeg', 'image/gif');

if (in_array($mimetype, $mimetypes)){

}else{
die("mime type not allowed");
}

 

But both seem to have problems with the same images. For example the winter.jpg sample image on windows xp doesn't seem to work on any computer I try.

[The Little Guy]

did you try my example?

[discomatt]

Try using the above script I posted, and actually echo out the mime type. This is totally client side though (from what I've read), so it shouldn't have anything to do with PHP...

 

 

With the exception of this guy

$mimetype = shell_exec(escapeshellcmd ("file -bi ".$FILES['uploadedfile']['tmp_name']));

[Jmz]

Thanks discomatt and The Little Guy, I'll look at both your solutions later on today.

[Jmz]

@discomatt: The code you gave me seems to display the info of even the images that I couldn't get to work before. How can I get the values from the array into my script?

[discomatt]

Show me a more complete copy of your script... from validating your mime type to inserting it into the database.

[Jmz]

This is the page I use for the user to create a gallery, they upload an image which is resized and add some information about the gallery.

 

<?php
//---------------------------------------------------
//     Include the files we need
//---------------------------------------------------
include("restrict.php");
include("../../config/connect.php");
include("../../config/settings.php");
include("../../config/functions.php");

//---------------------------------------------------
//     Make sure user hasnt reached their upload limit
//---------------------------------------------------	
$galcount = mysql_query("SELECT count(*) as gal from tbl_gallery WHERE fld_userid = '$UserID'");
$gal_q = mysql_fetch_assoc($galcount);
$galc = $gal_q['gal'];

$UserPack = mysql_query("SELECT fld_pack FROM tbl_users WHERE fld_id = '$UserID'");
$User_q = mysql_fetch_assoc($UserPack);
$UserPackNum = $User_q['fld_pack'];

$packdetails = mysql_query("SELECT fld_galleries FROM tbl_packages WHERE fld_id = '$UserPackNum'");
$pack_q = mysql_fetch_assoc($packdetails);
$PackLimit = $pack_q['fld_galleries'];

if ($galc < $PackLimit){

//---------------------------------------------------
//     set variables we need
//---------------------------------------------------
$target_path = "../../uploads/".$UserID."/";
$user_prefix = "thumb_";
$image_prefix = rand();

$mimetypes = array('image/jpeg', 'image/png', 'image/pjpeg', 'image/gif', '');
$extensions = array('jpg', 'gif', 'jpeg', 'png', 'pjpeg');

$target_path = $target_path.$user_prefix.$image_prefix.basename( $_FILES['uploadedfile']['name']); 
$_FILES['uploadedfile']['tmp_name'];  

//---------------------------------------------------
//     Check the image isnt too big
//---------------------------------------------------
$file_size = $_FILES['uploadedfile']['size'];

if ($file_size >= $thumb_limit_size) {
echo "Your file is too big";
exit ();
}

//---------------------------------------------------
//     Give the image a name
//---------------------------------------------------
$thumbname = $user_prefix.$image_prefix.basename( $_FILES['uploadedfile']['name']); 


//---------------------------------------------------
//     !--- Check the mime type
//     !--- Turned off
//---------------------------------------------------
$mimetype = strtolower($_FILES['uploadedfile']['type']);


if (in_array($mimetype, $mimetypes)){

}else{
echo "<meta http-equiv=\"refresh\" content=\"0;url=../create_gallery.php?msg=e\"/>";
exit();
}


//---------------------------------------------------
//     Get the extension of the image
//---------------------------------------------------
$extension = getExtension($thumbname);
$extension = strtolower($extension);

if (in_array($extension, $extensions)){

}else{
echo "<meta http-equiv=\"refresh\" content=\"0;url=../create_gallery.php?msg=n\"/>";
exit();
}

//---------------------------------------------------
//     Upload & resize the file
//---------------------------------------------------

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

switch($extension)
{
	case "jpeg";
		$image = imagecreatefromjpeg($target_path);
	break;
	case "jpg";
		$image = imagecreatefromjpeg($target_path);		
	break;
	case "gif";
		$image = imagecreatefromgif($target_path);		
	break;
	case "png";
		$image = imagecreatefrompng($target_path);		
	break;
	default:
		return FALSE;
}
if ($image === false) { die ('Unable to open image'); }

$width = imagesx($image);
$height = imagesy($image);

$imageratio = $width/$height;

if ($width>$height){
$newwidth = $thumb_width;
$newheight = $height * ($newwidth/$width);
}else{
$newheight = $thumb_width;
$newwidth = $width * ($newheight/$height);
}

	$image_resized = imagecreatetruecolor($newwidth, $newheight);
    	imagecopyresized($image_resized, $image, 0, 0, 0, 0, $newwidth, $newheight, $width, $height);
	ImageJpeg ($image_resized,"$target_path");	
	move_uploaded_file ($image_resized, "$target_path");	


$galleryname = $_POST['galleryname'];
$gallerydescription = $_POST['gallerydescription'];
$gallerykeywords = $_POST['gallerykeywords'];

if (empty ($galleryname) or empty ($gallerydescription) or empty ($gallerykeywords)) {
	echo "Fill out all fields";
	exit();
}

$galleryname = mysql_real_escape_string($galleryname);
$gallerydescription = mysql_real_escape_string($gallerydescription);
$gallerykeywords = mysql_real_escape_string($gallerykeywords);

$create_gallery = mysql_query("INSERT INTO tbl_gallery (fld_id, fld_galleryname, fld_gallerydesc, fld_keywords, fld_userid, fld_thumbname) values ('', '$galleryname', '$gallerydescription', '$gallerykeywords', '$UserID', '$thumbname')");

if ($create_gallery){
	echo "<meta http-equiv=\"refresh\" content=\"0;url=../modify_gallery.php?msg=s\"/>";
} else {
	echo "<meta http-equiv=\"refresh\" content=\"0;url=../modify_gallery.php?msg=e\"/>";
}	

//if the image couldn't be moved to the server
} else{
	echo "<meta http-equiv=\"refresh\" content=\"0;url=../create_gallery.php?msg=e\"/>";
}

//if the person has reached their upload limit
}else{
	echo "<meta http-equiv=\"refresh\" content=\"0;url=../create_gallery.php?msg=f\"/>";
}

?>

[discomatt]

And the problem is you're getting redirected to ../create_gallery.php?msg=e?

[Jmz]

Yes.

[discomatt]

Try this

 

$mimetype = strtolower($_FILES['uploadedfile']['type']);
echo '***'. $mimetype .'***'

 

See if you're getting any unnecessary padding that may be screwing things up

 

Also try changing the check to

if ( !in_array($mimetype, $mimetypes) ){
    echo "<meta http-equiv=\"refresh\" content=\"0;url=../create_gallery.php?msg=e\"/>";
    exit();
}

[Jmz]

Nope, on the images that wont upload it just says ****** as if the mime type was empty ???

[Jmz]

There has got to be something fundamentally wrong with my code, I just dont have a clue what it is

 

I'm rewriting the whole thing from scratch to see if I make the same mistake again.

[Jmz]

Just finished rewriting the script and it works now, I dont have a clue what was stopping it working before ???