file upload code question

[pouncer]

[code]
if (isset($_POST['Submit'])) {
$target_path = "../profile_images/";
$nm = basename($_FILES['imageupload']['name']);

$target_path = $target_path . $nm;

if(move_uploaded_file($_FILES['imageupload']['tmp_name'], $target_path)) {
echo "The file ".  $nm . " has been uploaded to your profile.";

$user_id = $_SESSION['UserID'];

$Image_URL = "thumbnail.php?im=" . "profile_images/" . $nm;

$profile = mysql_query("UPDATE user_profile SET
Image_URL = '$Image_URL'
WHERE user_id = '$user_id'
") or die (mysql_error());
}

else echo "There was an error uploading the image, please try again.";
}
[/code]

does this mean i can only upload .jpgs ?
how can i make it give an error if i specify a wrong file type to be uploaded

[complex05]

I highly recommend you read PHPFreaks' tutorial on file uploading. I have been using this class for years now and it works perfectly... and has a function to specify the file formats you want to allow.

http://www.phpfreaks.com/tutorials/85/0.php

Hope that helps!

[Ninjakreborn]

There is nothing in there to restrict filetypes, they could upload whatever they wanted to that script.
Even php file's, (I ran into that awhile back)
What you want to do now, is start an array, with all the accepted extensions, then from there you want to use regex to differ waht file types you want to accept.

Here are some examples of things I have done in the past that are similar (actually 100% the same), for you to look at, as references.
[code]<?php
$_accepted_extensions = array('.jpg', '.bmp', '.gif');
if (is_uploaded_file($_FILES['lostimage']['tmp_name'])) { // start check

$tmp = pathinfo($_FILES['lostimage']['name']);
if (!in_array('.' . $tmp['extension'], $_accepted_extensions)) {
$errorhandler .= "<span class=\"logspan\">";
$errorhandler .= "Unfortunately the file extension is not on our accepted<br />";
$errorhandler .= "extension list.  This can be caused by 2 possible things.<br /";
$errorhandler .= "The first thing is you could just simply have the wrong<br />";
$errorhandler .= "extension type.  The second thing is it could be<br />";
$errorhandler .= "of the 4 letter extension type instead of three for instance<br />";
$errorhandler .= "jpeg, instead of the approved jpg.  Please convert them to<br />";
$errorhandler .= "3 letter aliases.<br />";
$errorhandler .= "</span>";
}
$basepath = "postlost/imguploads/";
$filename = $_FILES['lostimage']['name'];
$relativeurl = $basepath . $filename;
// The code below I used from a friend named just some guy from the forums at
// w3schools.  It takes the path name, and the
// file name of the file I am using, and it tests the directory to see if the file
// already exists.  If it exists then it takes the current filename and path
// I am working with in my script, and renames the file, enought to where it can
// still be added.  This isn't used necessarily to allow someone to upload
// the same file 2 times, but more of if it ends up being the situation
// where the filename is the same on 2 different computers and those files
// just end up happening to have the same name. 
// Just a safegaurd against discrepancies in case.
// The whole section between if and else below was created by someone else.
if (file_exists($basepath . $filename))
{
$nr = 0;
$filename = $_FILES['lostimage']['name'] . "_{$nr}";
while (file_exists($basepath . $filename)) {
  $filename = $_FILES['lostimage']['name'] . "_" . $nr++;
}
}
// end script from just some guy on w3schools.com that tests if the filename
// exists or not

}// end file check
?>[/code]

That is one shitty example on and old site I did a long time ago.  I have this bad habit of when creating an admin panel, I never screen filetypes for the admins, I tried looking through all my scripts, the recent script I built that I have been re-using doesn't screen filetypes, for doing multiple uploads like 30 at a time, so for some reason I have neglected to build in that 1 critical thing, I am going to go back and fix that.

I looked and that is the only current example I have, I deleted another older project (I don't do that anymore), that contained very powerful code to do just that.  I had it setup to screen every filetype I could think of, and redirect them to proper pages, for viewing, adn everything else.  It was an entire file handling system, that I deleted, and it pisses me off even to that day, I wish I had my old copy of that, it was helpign with file handling a lot.

Hopefully what I have offered will help you atleast some though.


[quote]I highly recommend you read PHPFreaks' tutorial on file uploading. I have been using this class for years now and it works perfectly... and has a function to specify the file formats you want to allow.

http://www.phpfreaks.com/tutorials/85/0.php
[/quote]
That is very good advice, and I think I will take a look at that myself.

[pouncer]

Thanks alot guys.

[pouncer]

just as a quick solution, i tried this:

[code]
$_accepted_extensions = array('.jpg', '.bmp', '.gif');
$tmp = pathinfo($_FILES['imageupload']['name']);

if (!in_array('.' . $tmp['extension'], $_accepted_extensions)) {
echo "Wrong file type";
return;
}
[/code]

but it doesnt echo anything, it still attempts to uplaod the file with the wrong file extension

[simcoweb]

Try taking the '.' 's out of your extension array.