Jump to content

Archived

This topic is now archived and is closed to further replies.

Javrixx

Need help verifying uploads, images...

Recommended Posts

I've been searching for 3 days and can't find the answer. Either the code I put in doesn't work or I'm a moron. I am pretty new to PHP, so that could be a major issue. What I have setup is a page where people can upload images. This works just fine, the script as of right now works perfect, no problems.

But after reading around, I found people can just rename a .php or some other file to just a .jpg or .gif, upload it, and then execute it... I do not want this to happen!

So the solution everyone is talking about is using one of two codes to verify the file is actually an image that is being uploaded.

getimagesize() and exif_imagetype() are the two codes. I can't get either to work. I'm just learning PHP for the first time, so I'm very unfamiliar with it. What I need to know is... what code do I use and where do I put it in my script so it will verify the file is really an image. I don't care which one is used. The exif is supposed to be faster, but I don't really care.

Below is my script. Thanks!


[code]
<?
$num_of_uploads=1;
$file_types_array=array("jpg","gif");
$max_file_size=110000;
$upload_dir="images_public/";
function uploaderFILES($num_of_uploads=1, $file_types_array=array("jpg","gif"), $max_file_size=110000, $upload_dir="images_public/"){
  if(!is_numeric($max_file_size)){
  $max_file_size = 110000;
  }
  foreach($_FILES["file"]["error"] as $key => $value)
  {
    if($_FILES["file"]["name"][$key]!="")
    {
      if($value==UPLOAD_ERR_OK)
      {
        $origfilename = $_FILES["file"]["name"][$key];
        $filename = explode(".", $_FILES["file"]["name"][$key]);
        $filenameext = $filename[count($filename)-1];
        unset($filename[count($filename)-1]);
        $filename = implode(".", $filename);
        $filename = substr($filename, 0, 15).".".$filenameext;
        $file_ext_allow = FALSE;
if (file_exists('images_public/' . $filename)) {
  $tmpVar = 1;
  while(file_exists('images_public/' . $tmpVar . '-' . $filename)) {
  $tmpVar++;
  }
  $filename= $tmpVar . '-' . $filename;
  }     
        for($x=0;$x<count($file_types_array);$x++){
          if($filenameext==$file_types_array[$x])
          {
            $file_ext_allow = TRUE;
          }
        }
        if($file_ext_allow){
          if($_FILES["file"]["size"][$key]<$max_file_size){
            if(move_uploaded_file($_FILES["file"]["tmp_name"][$key], $upload_dir.$filename)){
              echo("<center>File uploaded successfully. Your image can be found at <a href='http://www.averageguysteve.com/".$upload_dir.$filename."' target='_blank'>http://www.averageguysteve.com/".$upload_dir.$filename."</a><br /><br /><br /><img src='".$upload_dir.$filename."' border='0' alt=''></center>");
            }
            else { echo('<center><font color="#FF0000">'.$origfilename."</font> was not successfully uploaded.<br /></center>");}
          }
          else  { echo('<center><font color="#FF0000">'.$origfilename."</font> was too big and was not uploaded. Max file size is 100k!<br /></center>"); }
        }
        else{ echo('<center><font color="#FF0000">'.$origfilename." </font>had an invalid file extension and was not uploaded. Valid file types are .jpg or .gif.<br /></center>");  }
      }
      else{ echo('<center><font color="#FF0000">'.$origfilename." </font>was not successfully uploaded.<br /></center>");  } // else
    }
  }
}

?>

<HTML>
<BODY>

  <FORM action='<?=$PHP_SELF;?>' method='post' enctype='multipart/form-data'>Upload file:<BR /><INPUT type='hidden' name='submitted' value='TRUE' id='<?=time();?>' >
  <INPUT type='hidden' name='MAX_FILE_SIZE' value='<?=$max_file_size;?>' >
<?  for($x=0;$x<$num_of_uploads;$x++){
    $form .= "<input type='file' name='file[]'><br />";
  }
  $form .= "<input type='submit' value='Upload'><br /><br />
  <font color='red'>*</font>Max file size is 100k.  Valid file types are .";
  for($x=0;$x<count($file_types_array);$x++){
    if($x<count($file_types_array)-1){
      $form .= $file_types_array[$x]." or .";
    }else{
      $form .= $file_types_array[$x].".";
    }
  }
  echo($form);
?>
  </FORM>
</BODY>
</HTML>

<?
if(isset($_POST["submitted"])){
  uploaderFILES($num_of_uploads, $file_types_array, $max_file_size, $upload_dir);
}
?>
[/code]

Share this post


Link to post
Share on other sites
see this post, I think it contains everything you need:

[url=http://www.phpfreaks.com/forums/index.php/topic,105395.0.html]http://www.phpfreaks.com/forums/index.php/topic,105395.0.html[/url]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.