Jump to content


Photo

image exstention name on images


  • Please log in to reply
7 replies to this topic

#1 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 May 2006 - 10:36 PM

hi there i was wondering when you do a valadation on a uploaded file the file
array shows image/bmp.

what files only relate to image/bmp

example:

gif
png
jpg

Is there any more.

I wanted only the above to be uploaded but i
seem not to get the png to valadate while useing a eregi statement
but the image_bmp works but how meny image/bmp are there.

But if image/bmp only stand for grafic or photo files grate, i continue any idears chears.


Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#2 toplay

toplay
  • Staff Alumni
  • Advanced Member
  • 973 posts

Posted 13 May 2006 - 11:08 PM

See:

[a href=\"http://filext.com/detaillist.php?extdetail=bmp&Search=Search\" target=\"_blank\"]http://filext.com/detaillist.php?extdetail=bmp&Search=Search[/a]

You have to be very careful when allowing uploading of files for security reasons. You cannot rely on the extension as what the file data actually is. The $_FILES['userfile']['type'] is not reliable because it's sent by the browser (if one is even used) and it determines the MIME type by the file's extension. The file could really be an executable (i.e. .exe) but it's extension changed to .jpg on purpose, and the browser will incorrectly send image/jpeg as the MIME type.

After the file is uploaded to the temporary directory and before moving it to a permanent location find out exactly what type of file it is (and that you allow it for your needs). For picture files, you can use getimagesize() function which returns an array of info including the file type or false if it's not a picture file. See:

[a href=\"http://us2.php.net/manual/en/function.getimagesize.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.getimagesize.php[/a]

For other types of files, you can use finfo_file() but it requires PECL extension (PEAR installation). See:

[a href=\"http://us2.php.net/manual/en/function.finfo-file.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.finfo-file.php[/a]

Or mime_content_type() is available in PHP 4.3.0+:

[a href=\"http://us2.php.net/manual/en/function.mime-content-type.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.mime-content-type.php[/a]


When a file is not acceptable to you, remember to delete it from the temporary directory and give an error to the user (or ban them if they try it too many times).

hth.



#3 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 May 2006 - 11:50 PM

Do you agree that this is more secure then the above way

to me as a learner it all looks the same lol

and thank you i have been reading.


$blah = getimagesize($userfile);
$type = $blah['mime'];
$width = $blah[0];
$height = $blah[1];

if ($type) {

do it

}else{

echo"sorry the file is a wrong file type ";

}


Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#4 toplay

toplay
  • Staff Alumni
  • Advanced Member
  • 973 posts

Posted 14 May 2006 - 12:12 AM

Yes, it's better. That function doesn't return an associative array. It's numerically indexed.

Example:
$pic_info = getimagesize($userfile);

if (!$pic_info) {

    echo"sorry the file is a wrong file type";
    // delete file
    exit;

} else {
    $allowed_types = array(1, 2, 3, 6, 7, 8);

    $width = $pic_info[0];
    $height = $pic_info[1];
    $type = $pic_info[2];

    // Can allow all or check for specific types

    if (!in_array ($type, $allowed_types)) {
        echo"sorry we only allow GIF, JPG, PNG, BMP, and TIFF";
        // delete file
        exit;
    }

    // Move file from temp dir to permanent location

}


#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 14 May 2006 - 12:54 AM

I am relly getting there know cheers, What about deleting the file from the folder.


In the update.php i got it so the user can update there file and it also changes the database name and also puts the new pic in the folder what do i use to delete a file within a folder .


Thank you so much grate code.

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 rab

rab
  • Members
  • PipPipPip
  • Advanced Member
  • 155 posts

Posted 14 May 2006 - 01:14 AM

I would parse the file for abitary code. I've seen/done this hack times before on poor validation of image types.

#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 14 May 2006 - 01:20 AM

toplay i come up with this on the form of update.php


if('$submit') {  

$fp = fopen ("/members_uploads", "w");

unlink($row["userfile_name"]);

fclose ($fp);
}


Am so close but wont delete the error tells me there no file lol

The row varable does match the pic name.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#8 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 14 May 2006 - 03:17 AM

I have got the unlink working what the problam is when you goto the update page the picture that was in the folder gets deleted before the user submits

any idears please tried but fail please help cheers.

What ever condition i use it always deletes, or the pic will not delete any idears please cheers.

<? session_start();
$db=mysql_connect("localhost" ,"xxx","xxx");
mysql_select_db("promotor",$db);
$query="select * from members_picture_uploads where name='$name' and id='$id'";
$result=mysql_query($query);
while($row=mysql_fetch_assoc($result)) {

$fn =$row["userfile_name"];
$rs = unlink($fn);

?>

<html>
<head>
<body>
<h1>Please update profile picture!</h1><br>

<br><br>Current picture name:<br><font color="red"><b><?echo 

$row["userfile_name"];}?></b></font>


<form enctype="multipart/form-data" 

action="http://xxxx/collage/bands/members_update_picture_result.php" 

method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="200000">
<br>
please choose a diffrent picture
<br>
<input type="file"  name="userfile">
<br>
<input type="submit" value="send">
<br>
</form>
</html>
</body>

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users