[SOLVED] imagecreatefromjpeg() help!

[Pickle]

Hi everyone

 

ive been trying to create some secure validation for image upload i.e. ensuring that the file being uploaded is actually an image and nothing else by using imagecreatefromjpeg() and such.

 

Here is what i have however this seems to stop everything and im not sure why. any help would be much appreciated.

if($_FILES['thumb']['name'] != ""){ 

		$allowed_filetypes = array('.jpg','.gif','.jpeg','.png'); 
		$filename = $_FILES['file']['name'];
		$ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); 

		// Use the correct function for the filetype.
		switch (strtolower($ext)) {
			case '.gif':
				$im = @imagecreatefromgif($filename);
				break;
			case '.jpg':
			case '.jpeg':
				$im = @imagecreatefromjpeg($filename);
				break;
			case '.png':
				$im = @imagecreatefrompng($filename);
				break;
			default:
				$im = false;
		}

		if(!in_array($ext,$allowed_filetypes)){
		  	die('The file you attempted to upload is not allowed.');
		}elseif($im){// if $im is set then it must be a valid image of the indicated type.

			//upload file
			imagedestroy($im);

		}else{
			die('not an image.');
		}	
	}

 

thanks in advance

[Bricktop]

Hi Pickle,

 

What happens if you remove your "break;" statements from the switches?

[Pickle]

hi bricktop

 

thanks for your reply, i have tried this but it didnt make any difference.

 

do you have any other suggestions?

 

thanks

[Bricktop]

If you do:

 

echo $filename;
echo $ext;

 

Just before the switch statements do you get the expected result?

 

e.g.

 

image.jpg

.jpg

[Pickle]

hi

 

im doing:

echo "filename-->".$filename."<br/>";
echo "ext-->".$ext."<br/>";
echo "im-->".$im."<br/>";

 

and i get everything until im which prints out nothing then it just goes straight to

 

not an image

[Bricktop]

Can you paste the output you're getting from the other two echo statements here.

[Pickle]

yeah i get this:

 

filename-->phone.jpg
ext-->.jpg
im-->
not an image

[Pickle]

should im actually be printing anything out?

[Pickle]

ive checked that its getting to the right case and using the correct function for the filetype. after that i dont really understand why im isnt set.

 

thanks again for your help.

[Pickle]

hi everyone,

 

i still havent managed to get anywhere with this 

 

if anyone has any ideas that would be great.

 

thanks

[Alex]

Try this switch:

 

switch (strtolower($ext)) {
			case '.gif':
				$im = @imagecreatefromgif($filename);
				break;
			case '.jpg':
				$im = @imagecreatefromjpeg($filename);
				break;
			case '.png':
				$im = @imagecreatefrompng($filename);
				break;
			default:
				$im = false;
                                        break;
		}

 

You had a case 'jpg': option and it didn't have a break.

[Pickle]

hi alexwd

 

thank for your reply, ill try that and keep you posted. should the last default case have a break as well?

 

thanks

[Alex]

hi alexwd

 

thank for your reply, ill try that and keep you posted. should the last default case have a break as well?

 

thanks

Doesn't matter, I usually do it; just a habit.

[Pickle]

Hi Alexwd

 

thanks for your help, one more question, is there another way of doing this? using the imagecreatefromjpeg() function to check that its an image was a suggestion to my by someone else. is there a better way or just another way of doing this?

 

i know theres also getimagesize() but none of these really guarantee thats its definitely an image right?

 

[Alex]

When validating images I always use getimagesize() it works fine and you don't have to create that annoying switch for different image types. It also already gives you access to other information about that file that you may need after you've confirmed it's valid.

[Pickle]

am i right in saying that you can use getimagesize() before the file is uploaded because obviously this is what i need, to make sure its ok before i upload it.

 

so basically i would just say the following:

$filename = $_files['file']['name'];
$info = getimagesize($filename);

if(isset($info)){
   //upload file here
}

 

is that right? that i should check if the variable $info is set? or should i be checking for a specific size?

[mikesta707]

$_FILES['file']['name'] gives the filename that was on your specific computer I believe (IE if you uploaded myname.jpg, than that would return myname.jpg) the problem is that the particular file myname.jpg doesn't exist on your server until you move it from the temp folder (assuming you move it with the same name as it had).

 

$_FILES['file]['temp'] gives the file name of your file in the temporary folder I think, so you may be able to do it with that.

[Alex]

I believe mikesta707 is correct, you should be using $_FILES['file']['temp']. To check you should be doing:

 

if($info)
{
     //Upload file
}

 

As getimagesize() returns false when given an invalid image file.

[Pickle]

so are you saying that it creates a temp file when the form is submitted? i thought that it only did this once you went ahead with the image upload.

 

so i need to be saying

$temp_loc = $files['file']['temp'] ;
$info = getimagesize($temp_loc);

 

thanks again

[mikesta707]

yes when you submit a file field, it uploads the file to the servers temp folder. Upload scripts don't really upload the file perse, they move the file to a more permanent destination (files in the temp folder get deleted after a little bit)

[Pickle]

so i suppose thats the same with what i was trying to do before?

 

$filename = $_FILES['file']['name'];
$ext = substr($filename, strpos($filename,'.'), strlen($filename)-1);
         
         // Use the correct function for the filetype.
         switch (strtolower($ext)) {
            case '.gif':
               $im = @imagecreatefromgif($filename);
               break;
            case '.jpg':
            case '.jpeg':
               $im = @imagecreatefromjpeg($filename);
               break;
            case '.png':
               $im = @imagecreatefrompng($filename);
               break;
            default:
               $im = false;
         }

 

but

$filename = $_FILES['file']['name'];

 

should be

 

$filename = $_FILES['file']['temp'];

 

thats why it wasnt working?!

[mikesta707]

seems that way

[Pickle]

WOOP! thanks guys really appreciate the help, ill try it out. 

[Pickle]

hi

 

i still cant seem to get this to work. if my form element is called image i.e.

 

<input type='file' name='image' value='' />

 

then should i be saying:

 

$temp_file = $_FILES['[b]image[/b]']['temp'];
$info = getimagesize($temp_file);

 

or

 

$temp_file = $_FILES['[b]file[/b]']['temp'];
$info = getimagesize($temp_file);

 

which ever i use anyway it always says that its not an image. not sure what im doing wrong, any help would be great.

 

thanks

[Pickle]

Hi ive sorted it. thanks everyone for your help.

 

basically i needed to use tmp_name instead of temp and with the name of the form element.i.e.

$info = getimagesize($_FILES['thumb']['tmp_name']);

 

thanks