Page 1 of 1

prevent anything except images from being uploaded

Posted: Tue Jun 20, 2017 12:26 pm
by cjkeane
Hi.
I'm using this script to allow image uploads, but even though there are error messages at the end of the script, they don't display. Any type of file can still be uploaded. Any help would be appreciated. Files do get uploaded, but I need only images to be uploaded. thanks.

Code: Select all

/* Function to change profile picture */
function changeProfilePic() {
	$post = isset($_POST) ? $_POST: array();
	$max_width = "500"; 
	//$userId = isset($post['hdn-profile-id']) ? intval($post['hdn-profile-id']) : 0;
	$userId = $_SESSION['user'];
	$path = 'images/profile_pictures/' . $userId;
	$valid_formats = array("jpg", "png", "gif", "jpeg, JPEG, PNG, GIF ");
	$name = $_FILES['profile-pic']['name'];
	$size = $_FILES['profile-pic']['size'];
	if(strlen($name)) {
		list($txt, $ext) = explode(".", $name);
		if(in_array($ext,$valid_formats)) {
			if($size<(1024*1024)) {
				$actual_image_name = 'avatar' .'_'.$userId .'.'.$ext;
				$filePath = $path .'/'.$actual_image_name;
				$tmp = $_FILES['profile-pic']['tmp_name'];
				if (!is_dir($path)) {
					mkdir($path, 0777, true);
				}
				if(move_uploaded_file($tmp, $filePath)) {
					$width = getWidth($filePath);
					$height = getHeight($filePath);
					//Scale the image if it is greater than the width set above
					if ($width > $max_width){
						$scale = $max_width/$width;
						$uploaded = resizeImage($filePath,$width,$height,$scale, $ext);
					} else {
						$scale = 1;
						$uploaded = resizeImage($filePath,$width,$height,$scale, $ext);
					}					
					echo "<img id='photo' file-name='".$actual_image_name."' class='' src='".$filePath.'?'.time()."' class='preview'/>";
				}
				else
				echo "failed";
			}
			else
			echo "Image file size max 1 MB"; 
		}
		else
		echo "Invalid file format.."; 
	}
	else
	echo "Please select image..!";
	exit;
}

Re: prevent anything except images from being uploaded

Posted: Wed Jun 21, 2017 10:46 am
by Christopher
Your code should work. Which if the error message are you getting? Is the a call to move_uploaded_file() somewhere else?

You might want to check the acutal mime type of the temp file instead of extensions. Here is code from the PHP manual page ()

Code: Select all

    $finfo = new finfo(FILEINFO_MIME_TYPE);
    $ext = array_search(
        $finfo->file($_FILES['upfile']['tmp_name']),
        array(
            'jpg' => 'image/jpeg',
            'png' => 'image/png',
            'gif' => 'image/gif',
        ),
        true
        ));
    if (false === $ext} {
    }
PS - I wound not recommend using exit; inside a funtion

Re: prevent anything except images from being uploaded

Posted: Wed Jun 21, 2017 10:58 am
by cjkeane
Yes I was thinking of checking mimetypes instead of just the extensions.
I'm not receiving any error message, it allows the upload of a txt file and/or any other file.
I'll change the code to include the mimetype array as you suggest and see if it helps. thanks.
why is exit not recommended inside a function?

Re: prevent anything except images from being uploaded

Posted: Sat Jun 24, 2017 11:11 am
by Christopher
Have you checked the value in $ext? Why is this line succeeding:

Code: Select all

    if(in_array($ext,$valid_formats)) {