justAnoob Posted February 6, 2009 Share Posted February 6, 2009 I figured I would try for a while before just posting something here. Well, I did try and still can't get it. I want to be able to just upload certain types, as you see below. But this doesn't work. Any ideas? <?php session_start(); include ("upload_db_info.php"); if (!empty($_POST['upload'])) { extract($_POST); if(isset($_POST['upload']) || $_FILES['upload_file']['size'] < 500000 || $_FILES['upload_file']['type'] = "image/gif" || $_FILES['upload_file']['type'] = "image/x-png" || $_FILES['upload_file']['type'] = "image/jpg") || $_FILES['upload_file']['type'] = "image/jpeg" || $_FILES['upload_file']['type'] = "image/bmp") { $user = $_SESSION['id']; $fileName = $_FILES['upload_file']['name']; $tmpName = $_FILES['upload_file']['tmp_name']; $fileSize = $_FILES['upload_file']['size']; $fileType = $_FILES['upload_file']['type']; if ( file_exists($tmpName) ) { $content = file_get_contents($tmpName); } } else { unset($_SESSION['uploadcomplete']); $_SESSION['uploaderror'] = "<font color=red><font size=2>Please select a valid picture format under 500,000 bytes(.5 megabytes)<br /> Valid formats are the following (.png .bmp .jpg .gif)"; header("location: http://www.------.com"); exit(); } $user = mysql_real_escape_string($user); $trade = mysql_real_escape_string($trade); $picname = mysql_real_escape_string($picname); $fileName = mysql_real_escape_string($fileName); $fileSize = (int)$fileSize; $fileType = mysql_real_escape_string($fileType); $content = mysql_real_escape_string($content); $descrip = mysql_real_escape_string($_POST["descrip"]); $trade = mysql_real_escape_string($_POST["trade"]); $picname = mysql_real_escape_string($_POST["picname"]); $query = "INSERT INTO UploadedFiles (name, size, type, content, user, descrip, trade, picname)VALUES('$fileName', '$fileSize', '$fileType', '$content', '$user', '$descrip', '$trade', '$picname')"; $result = mysql_query($query)or die (mysql_error()); unset($_SESSION['uploaderror']); $_SESSION['uploadcomplete'] = "Your picture was uploaded to our system."; header("location: http://www.---------.com"); exit(); } ?> Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/ Share on other sites More sharing options...
jamesxg1 Posted February 6, 2009 Share Posted February 6, 2009 Do you get any errors ?, what happens ? Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755600 Share on other sites More sharing options...
justAnoob Posted February 6, 2009 Author Share Posted February 6, 2009 I do not get any errors. I can still upload any sort of file type. I only want to be able to upload gif png bmp jpeg jpg pjpeg And not something like a php, html, txt, etc..... Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755610 Share on other sites More sharing options...
jamesxg1 Posted February 6, 2009 Share Posted February 6, 2009 I do not get any errors. I can still upload any sort of file type. I only want to be able to upload gif png bmp jpeg jpg pjpeg And not something like a php, html, txt, etc..... Ok maybe try this nothing much changed but i had the same problem in my image uploading script. <?php session_start(); include ("upload_db_info.php"); if (!empty($_POST['upload'])) { extract($_POST); if(isset($_POST['upload']) || $_FILES['upload_file']['size'] < 500000 || $_FILES['upload_file']['type'] == "image/gif" || $_FILES['upload_file']['type'] == "image/x-png" || $_FILES['upload_file']['type'] == "image/jpg") || $_FILES['upload_file']['type'] == "image/jpeg" || $_FILES['upload_file']['type'] == "image/bmp") { $user = $_SESSION['id']; $fileName = $_FILES['upload_file']['name']; $tmpName = $_FILES['upload_file']['tmp_name']; $fileSize = $_FILES['upload_file']['size']; $fileType = $_FILES['upload_file']['type']; if ( file_exists($tmpName) ) { $content = file_get_contents($tmpName); } } else { unset($_SESSION['uploadcomplete']); $_SESSION['uploaderror'] = "<font color=red><font size=2>Please select a valid picture format under 500,000 bytes(.5 megabytes)<br /> Valid formats are the following (.png .bmp .jpg .gif)"; header("location: http://www.------.com"); exit(); } $user = mysql_real_escape_string($user); $trade = mysql_real_escape_string($trade); $picname = mysql_real_escape_string($picname); $fileName = mysql_real_escape_string($fileName); $fileSize = (int)$fileSize; $fileType = mysql_real_escape_string($fileType); $content = mysql_real_escape_string($content); $descrip = mysql_real_escape_string($_POST["descrip"]); $trade = mysql_real_escape_string($_POST["trade"]); $picname = mysql_real_escape_string($_POST["picname"]); $query = "INSERT INTO UploadedFiles (name, size, type, content, user, descrip, trade, picname)VALUES('$fileName', '$fileSize', '$fileType', '$content', '$user', '$descrip', '$trade', '$picname')"; $result = mysql_query($query)or die (mysql_error()); unset($_SESSION['uploaderror']); $_SESSION['uploadcomplete'] = "Your picture was uploaded to our system."; header("location: http://www.---------.com"); exit(); } ?> oh and i would maybe put some strip_tag 's function in the script so they cant insert any code (vunerable to site injection) and maybe if possible use >> ' ' << tages and not >> " " << just for some more security Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755611 Share on other sites More sharing options...
justAnoob Posted February 6, 2009 Author Share Posted February 6, 2009 So what is different? Just the == on the one file type? Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755618 Share on other sites More sharing options...
jamesxg1 Posted February 6, 2009 Share Posted February 6, 2009 So what is different? Just the == on the one file type? if im 100% honest i have litrully no idea its just that when i had the same problem thats what solved it but i was also making thumbnails of the uploaded image so maybe that would be why i needed two == but it worked so it might for you. Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755621 Share on other sites More sharing options...
jamesxg1 Posted February 6, 2009 Share Posted February 6, 2009 and its not on the one file type its on them all <?php session_start(); include ("upload_db_info.php"); if (!empty($_POST['upload'])) { extract($_POST); if(isset($_POST['upload']) || $_FILES['upload_file']['size'] < 500000 || $_FILES['upload_file']['type'] == "image/gif" || $_FILES['upload_file']['type'] == "image/x-png" || $_FILES['upload_file']['type'] == "image/jpg") || $_FILES['upload_file']['type'] == "image/jpeg" || $_FILES['upload_file']['type'] == "image/bmp") { $user = $_SESSION['id']; $fileName = $_FILES['upload_file']['name']; $tmpName = $_FILES['upload_file']['tmp_name']; $fileSize = $_FILES['upload_file']['size']; $fileType = $_FILES['upload_file']['type']; if ( file_exists($tmpName) ) { $content = file_get_contents($tmpName); } } else { unset($_SESSION['uploadcomplete']); $_SESSION['uploaderror'] = "<font color=red><font size=2>Please select a valid picture format under 500,000 bytes(.5 megabytes)<br /> Valid formats are the following (.png .bmp .jpg .gif)"; header("location: http://www.------.com"); exit(); } $user = mysql_real_escape_string($user); $trade = mysql_real_escape_string($trade); $picname = mysql_real_escape_string($picname); $fileName = mysql_real_escape_string($fileName); $fileSize = (int)$fileSize; $fileType = mysql_real_escape_string($fileType); $content = mysql_real_escape_string($content); $descrip = mysql_real_escape_string($_POST["descrip"]); $trade = mysql_real_escape_string($_POST["trade"]); $picname = mysql_real_escape_string($_POST["picname"]); $query = "INSERT INTO UploadedFiles (name, size, type, content, user, descrip, trade, picname)VALUES('$fileName', '$fileSize', '$fileType', '$content', '$user', '$descrip', '$trade', '$picname')"; $result = mysql_query($query)or die (mysql_error()); unset($_SESSION['uploaderror']); $_SESSION['uploadcomplete'] = "Your picture was uploaded to our system."; header("location: http://www.---------.com"); exit(); } ?> Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755627 Share on other sites More sharing options...
justAnoob Posted February 6, 2009 Author Share Posted February 6, 2009 Nope, nothing yet. Someone should chime in soon with an easy fix so I can feel dumb. The file size part of it works, that is why I don't understand why the file type is working. Other than that, after the file type is fixed, would this be considered a secure file upload to mysql? Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755629 Share on other sites More sharing options...
jamesxg1 Posted February 6, 2009 Share Posted February 6, 2009 Nope, nothing yet. Someone should chime in soon with an easy fix so I can feel dumb. The file size part of it works, that is why I don't understand why the file type is working. Other than that, after the file type is fixed, would this be considered a secure file upload to mysql? well other than what iv just posted im stumped!!, im not very good at php, and some areas need work eg. you use.... $fileType = mysql_real_escape_string($fileType); change it to something like this..... $fileType = strip_tags(mysql_real_escape_string($fileType)); the *strip_tags* snippet makes is so that any HTML, PHP or any other language of code is not added to the database. and i read somewhere in a tutorial that these >> " " << are less secure than >>> ' ' <<< them i think its because the user that is on your site can change what ever is in a set of " " and they cant with ' ' i think thats correct anyway. Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755634 Share on other sites More sharing options...
justAnoob Posted February 6, 2009 Author Share Posted February 6, 2009 Any other PHP pros have some ideas why this is not working? Link to comment https://forums.phpfreaks.com/topic/144004-limit-file-type-on-upload/#findComment-755652 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.