Jump to content


Photo

Need help verifying uploads, images...


  • Please log in to reply
1 reply to this topic

#1 Javrixx

Javrixx
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 24 August 2006 - 08:39 PM

I've been searching for 3 days and can't find the answer. Either the code I put in doesn't work or I'm a moron. I am pretty new to PHP, so that could be a major issue. What I have setup is a page where people can upload images. This works just fine, the script as of right now works perfect, no problems.

But after reading around, I found people can just rename a .php or some other file to just a .jpg or .gif, upload it, and then execute it... I do not want this to happen!

So the solution everyone is talking about is using one of two codes to verify the file is actually an image that is being uploaded.

getimagesize() and exif_imagetype() are the two codes. I can't get either to work. I'm just learning PHP for the first time, so I'm very unfamiliar with it. What I need to know is... what code do I use and where do I put it in my script so it will verify the file is really an image. I don't care which one is used. The exif is supposed to be faster, but I don't really care.

Below is my script. Thanks!


<?
$num_of_uploads=1;
$file_types_array=array("jpg","gif");
$max_file_size=110000;
$upload_dir="images_public/";
function uploaderFILES($num_of_uploads=1, $file_types_array=array("jpg","gif"), $max_file_size=110000, $upload_dir="images_public/"){
  if(!is_numeric($max_file_size)){
   $max_file_size = 110000;
  } 
  foreach($_FILES["file"]["error"] as $key => $value)
  {
     if($_FILES["file"]["name"][$key]!="")
     {
       if($value==UPLOAD_ERR_OK)
       {
         $origfilename = $_FILES["file"]["name"][$key];
         $filename = explode(".", $_FILES["file"]["name"][$key]);
         $filenameext = $filename[count($filename)-1];
         unset($filename[count($filename)-1]);
         $filename = implode(".", $filename);
         $filename = substr($filename, 0, 15).".".$filenameext;
         $file_ext_allow = FALSE;
if (file_exists('images_public/' . $filename)) {
  $tmpVar = 1;
  while(file_exists('images_public/' . $tmpVar . '-' . $filename)) {
   $tmpVar++;
   }
  $filename= $tmpVar . '-' . $filename;
  }       
         for($x=0;$x<count($file_types_array);$x++){
           if($filenameext==$file_types_array[$x])
           {
             $file_ext_allow = TRUE;
           }
         }
         if($file_ext_allow){
           if($_FILES["file"]["size"][$key]<$max_file_size){
             if(move_uploaded_file($_FILES["file"]["tmp_name"][$key], $upload_dir.$filename)){
               echo("<center>File uploaded successfully. Your image can be found at <a href='http://www.averageguysteve.com/".$upload_dir.$filename."' target='_blank'>http://www.averageguysteve.com/".$upload_dir.$filename."</a><br /><br /><br /><img src='".$upload_dir.$filename."' border='0' alt=''></center>");
             }
             else { echo('<center><font color="#FF0000">'.$origfilename."</font> was not successfully uploaded.<br /></center>");}
           }
           else  { echo('<center><font color="#FF0000">'.$origfilename."</font> was too big and was not uploaded. Max file size is 100k!<br /></center>"); }
         }
         else{ echo('<center><font color="#FF0000">'.$origfilename." </font>had an invalid file extension and was not uploaded. Valid file types are .jpg or .gif.<br /></center>");  }
       }
       else{ echo('<center><font color="#FF0000">'.$origfilename." </font>was not successfully uploaded.<br /></center>");  } // else
     }
  }
}

?>

<HTML>
<BODY>

  <FORM action='<?=$PHP_SELF;?>' method='post' enctype='multipart/form-data'>Upload file:<BR /><INPUT type='hidden' name='submitted' value='TRUE' id='<?=time();?>' >
  <INPUT type='hidden' name='MAX_FILE_SIZE' value='<?=$max_file_size;?>' >
<?  for($x=0;$x<$num_of_uploads;$x++){
     $form .= "<input type='file' name='file[]'><br />";
   }
   $form .= "<input type='submit' value='Upload'><br /><br />
   <font color='red'>*</font>Max file size is 100k.  Valid file types are .";
   for($x=0;$x<count($file_types_array);$x++){
     if($x<count($file_types_array)-1){
       $form .= $file_types_array[$x]." or .";
     }else{
       $form .= $file_types_array[$x].".";
     }
   }
   echo($form);
?> 
  </FORM>
</BODY>
</HTML>

<?
if(isset($_POST["submitted"])){
   uploaderFILES($num_of_uploads, $file_types_array, $max_file_size, $upload_dir);
}
?> 


#2 jvalarta

jvalarta
  • Members
  • PipPipPip
  • Advanced Member
  • 42 posts

Posted 25 August 2006 - 02:36 AM

see this post, I think it contains everything you need:

http://www.phpfreaks...c,105395.0.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users