Jump to content


This topic is now archived and is closed to further replies.


Problem with image upload validation

Recommended Posts

I've written a script for users to upload images to use as avatars as part of a project I'm working on.
This works absolutely fine on my testing server, but on my live one, it doesn't - allowing users to upload any file type of any size, which is obviously not a good thing.
Can anyone see anything wrong with the below?

[code]    if (isset($_FILES['avatar_img']['name']) && !empty($_FILES['avatar_img']['name'])){

        $filename = $_FILES['avatar_img']['name'];

    } else {

        header("Location: profile.php?action=avatar&error=1&$session");


    //Turn the filename into an array, and check the file is a JPEG
    $file_peices = explode(".", $filename);
    $size = sizeof($file_peices);

    if(($file_peices[$size -1] != 'jpg') && ($file_peices[$size -1] != 'jpeg') && ($file_peices[$size -1] != 'gif') && ($file_peices[$size -1] != 'png')){

        header("Location: profile.php?action=avatar&error=2&$session");


    //If the file is too big, stop script execution.
    if($_FILES['avatar_img']['size'] > $config['av_max_size']) {

        header("Location: profile.php?action=avatar&error=3&$session");


    //Check physical image dimensions
    $img_size = getimagesize($_FILES['avatar_img']['tmp_name']);
    if(($img_size[0] > $config['av_max_dimensions']) || ($img_size[1] > $config['av_max_dimensions'])){

        header("Location: profile.php?action=avatar&error=4&$session");


    $filename_store = md5($filename).'.'.$file_peices[$size -1];


        $filename_store = md5(uniqid(rand(), true)).'.'.$file_peices[$size -1];


    if(move_uploaded_file($_FILES['avatar_img']['tmp_name'], 'images/avatars/'.$filename_store)){

        $sql = 'UPDATE '.USERS_TABLE.'
                    SET user_avatar = "'.$filename_store.'"
                    WHERE user_id = '.$auth->userdata['user_id'];


        header("Location: profile.php?action=avatar&$session");



        header("Location: profile.php?action=avatar&error=4&$session");


Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.