My Upload Code

[graham23s]

Hi Guys,

 

This is my upload code, the only problem is, it uploads everything .php .txt extensions even though i have made an array to set allowed types:

 

<?php    
  $photo = $_FILES["image"]["name"];
  $username = mysql_escape_string($_POST['username']);
  $max_image_size = 51200; 
  $allowed = array('.gif','.jpg','.png','.jpeg');
  $max_image_width = 500;
  $max_image_height = 450;  
  $random_digit = rand(0000,9999);    
  $renamed_photo = $random_digit.$_FILES["image"]["name"];
  
  // Check there wasn't a blank submission...////////////////////////////////////////////
  if(empty($_FILES["image"]["name"])) {
  
       echo "<p>Sorry, But No File Was Selected, Please Go Back And Try Again.</p>";
       exit;  
  }
  
  // Create a query to check if the current user has uploaded a photo previously, so we can overwrite it
  $sql = "SELECT photo FROM membership WHERE username='$username' LIMIT 1";
  $result = mysql_query($sql, $conn) or die(mysql_error());
    
  // Run the query in a while loop
  while($row = mysql_fetch_array($result)) {
        // Set the photo name to the name already saved in the DB so we can overwrite the existing photo variables and file
        $photo = $row['photo'];
        
        if (empty($photo)) {
        
        } else {

        $renamed_photo = $photo;
        
        }
  }
  
  // Validation for Image...
  if ($_FILES['image']['size'] > $max_image_size) {
   die ('<p>Sorry <i>$username</i> That Image Is Bigger Than The Allowed Size Of 3mb Please <a href="java script: history.go(-1)">Go Back</a></p>');
  }
  
  #####################################################################
  // Validate image dimensions...////////////////////////////////////////////////////////
  $dim = getimagesize($_FILES['image']['tmp_name']);

  if($dim[0] >= $max_image_width || $dim[1] >= $max_image_height) {
  
    die ("<p>Sorry, That Image Isn't Within The Current Upload Dimensions Please Go Back And Upload Another!</p>");
    
  }  
  // Validate image types.../////////////////////////////////////////////////////////////
  if(in_array($_FILES['image']['type'], $allowed)) {
  
    die ('<p>Sorry, That Image Isn\'t One Of The Allowed Types Please Make Sure It\'s A Photo!</p>');
  }
  #####################################################################
  
  $uploadpath = "uploads/"; // <- Upload folder...
  $uploadpath = $uploadpath.$renamed_photo;
  if (!move_uploaded_file($_FILES["image"]["tmp_name"], $uploadpath))
     die("<p>Sorry, There Was An Error Uploading Your Image!");
     echo("<p><br />The Image (<b><font color=\"red\">" .$_FILES["image"]["name"]. "</b></font>) Has Been Uploaded Successfully!<br />");
    
  // Create our query.../////////////////////////////////////////////////////////////////
  $sql = "UPDATE membership SET photo='$renamed_photo' WHERE username='$username'";

  // Run our query...////////////////////////////////////////////////////////////////////
  $rs = mysql_query($sql, $conn) or die(mysql_error());
?>

 

can anyone tell me the problem at all?

 

thanks guys

 

Graham

 

 

[obsidian]

$_FILES['filename']['type'] does not return the extension of the file, but rather the MIME type. So, you need to be comparing things like "image/jpeg", "image/png" or "text/plain" instead of ".jpg", ".png" or ".txt".

 

Secondly, with the way you have your check set up, it will die() on any files that are in your allowable array. Here is how you would want to run your check:

<?php
$allowed = array('text/plain', 'image/jpeg');
if (!in_array($_FILES['filename']['type'], $allowed)) {
  // not in the allowed types, so kill the script here
}
?>