graham23s Posted April 23, 2007 Share Posted April 23, 2007 Hi Guys, This is my upload code, the only problem is, it uploads everything .php .txt extensions even though i have made an array to set allowed types: <?php $photo = $_FILES["image"]["name"]; $username = mysql_escape_string($_POST['username']); $max_image_size = 51200; $allowed = array('.gif','.jpg','.png','.jpeg'); $max_image_width = 500; $max_image_height = 450; $random_digit = rand(0000,9999); $renamed_photo = $random_digit.$_FILES["image"]["name"]; // Check there wasn't a blank submission...//////////////////////////////////////////// if(empty($_FILES["image"]["name"])) { echo "<p>Sorry, But No File Was Selected, Please Go Back And Try Again.</p>"; exit; } // Create a query to check if the current user has uploaded a photo previously, so we can overwrite it $sql = "SELECT photo FROM membership WHERE username='$username' LIMIT 1"; $result = mysql_query($sql, $conn) or die(mysql_error()); // Run the query in a while loop while($row = mysql_fetch_array($result)) { // Set the photo name to the name already saved in the DB so we can overwrite the existing photo variables and file $photo = $row['photo']; if (empty($photo)) { } else { $renamed_photo = $photo; } } // Validation for Image... if ($_FILES['image']['size'] > $max_image_size) { die ('<p>Sorry <i>$username</i> That Image Is Bigger Than The Allowed Size Of 3mb Please <a href="java script: history.go(-1)">Go Back</a></p>'); } ##################################################################### // Validate image dimensions...//////////////////////////////////////////////////////// $dim = getimagesize($_FILES['image']['tmp_name']); if($dim[0] >= $max_image_width || $dim[1] >= $max_image_height) { die ("<p>Sorry, That Image Isn't Within The Current Upload Dimensions Please Go Back And Upload Another!</p>"); } // Validate image types...///////////////////////////////////////////////////////////// if(in_array($_FILES['image']['type'], $allowed)) { die ('<p>Sorry, That Image Isn\'t One Of The Allowed Types Please Make Sure It\'s A Photo!</p>'); } ##################################################################### $uploadpath = "uploads/"; // <- Upload folder... $uploadpath = $uploadpath.$renamed_photo; if (!move_uploaded_file($_FILES["image"]["tmp_name"], $uploadpath)) die("<p>Sorry, There Was An Error Uploading Your Image!"); echo("<p><br />The Image (<b><font color=\"red\">" .$_FILES["image"]["name"]. "</b></font>) Has Been Uploaded Successfully!<br />"); // Create our query...///////////////////////////////////////////////////////////////// $sql = "UPDATE membership SET photo='$renamed_photo' WHERE username='$username'"; // Run our query...//////////////////////////////////////////////////////////////////// $rs = mysql_query($sql, $conn) or die(mysql_error()); ?> can anyone tell me the problem at all? thanks guys Graham Link to comment https://forums.phpfreaks.com/topic/48268-my-upload-code/ Share on other sites More sharing options...
obsidian Posted April 23, 2007 Share Posted April 23, 2007 $_FILES['filename']['type'] does not return the extension of the file, but rather the MIME type. So, you need to be comparing things like "image/jpeg", "image/png" or "text/plain" instead of ".jpg", ".png" or ".txt". Secondly, with the way you have your check set up, it will die() on any files that are in your allowable array. Here is how you would want to run your check: <?php $allowed = array('text/plain', 'image/jpeg'); if (!in_array($_FILES['filename']['type'], $allowed)) { // not in the allowed types, so kill the script here } ?> Link to comment https://forums.phpfreaks.com/topic/48268-my-upload-code/#findComment-235971 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.