I am creating PHP image validation and zip file validation scripts my zip file validation script is working but I have added image validation but it's not working I want to add image file type jpeg,png file type I have tried to do that's not working
Here is my code
if($_FILES['fileImage']['tmp_name'][0] != "fileImage/jpg") {
die($_FILES['fileImage']['name'][0] . " is not a valid image file.");
exit;
}
$z = zip_open($_FILES['fileImage']['tmp_name'][4]);
if (!is_resource($z)) {
die($_FILES['fileImage']['name'][4] . " is not a valid ZIP file.");
}
zip_close($z);
I would first check the temp file with mime_content_type. The result does not depend on the file extension, which would be easy to manipulate. Further processing could then complete the validation.
$tmpFile = $_FILES['fileImage']['tmp_name'];
switch ($mimeType = mime_content_type($tmpFile)) {
case 'application/zip':
//... process zip ... zip_open, etc
break;
case 'image/jpeg':
//... process image ... getimagesize etc.
break;
default:
die('Unknown filetype "' . $mimeType . '".');
}
Try the following code.
$tempFile = $_FILES['file']['name'];
// Get the file extension
$fileExt = pathinfo($tempFile, PATHINFO_EXTENSION);
// Allowed extensions
$imageExt = ['jpg', 'png', 'gif'];
$compressExt = ['rar', 'zip'];
// Validation
if ( !in_array($fileExt, $imageExt) ) {
die('Not image format');
} elseif ( !in_array($fileExt, $compressExt) ) {
die('No compression format');
} else {
// proceed
}
Related
Code
if(is_array($_FILES) && isset($_FILES['photography_attachment'])) {
if(is_uploaded_file($_FILES['photography_attachment']['tmp_name'])) {
$fileName = $_FILES["photography_attachment"]["name"]; // The file name
$fileTmpLoc = $_FILES["photography_attachment"]["tmp_name"]; // File in the PHP tmp folder
$fileType = $_FILES["photography_attachment"]["type"]; // The type of file it is
$fileSize = $_FILES["photography_attachment"]["size"]; // File size in bytes
$fileErrorMsg = $_FILES["photography_attachment"]["error"]; // 0 = false | 1 = true
$kaboom = explode(".", $fileName); // Split file name into an array using the dot
$fileExt = end($kaboom); // Now target the last array element to get the file extension
if (!$fileTmpLoc) { // if file not chosen
$error = $error."<p>Please browse for a file before clicking the upload button.</p>";
} else if($fileSize > 10485760) { // if file size is larger than 2 Megabytes
$error = $error."<p><span>Your file was larger than</span> 10 <span>Megabytes in size</span>.</p>";
unlink($fileTmpLoc); // Remove the uploaded file from the PHP temp folder
} else if (!preg_match("/.(gif|jpg|png|jpeg)$/i", $fileName) ) {
// This condition is only if you wish to allow uploading of specific file types
$error = $error."<p>Your file was not .gif, .jpg, .png</p>";
unlink($fileTmpLoc); // Remove the uploaded file from the PHP temp folder
} else if ($fileErrorMsg == 1) { // if file upload error key is equal to 1
$error = $error."<p>An error occured while processing the file. Try again.</p>";
}
}else{ $error = "Please try again !!!"; }
}else{ $error = "Attachment field cannot be blank!"; }
Always goto "Please try again !!!" else while uploading image in windows, but it worked well in linux system.
Can you please any one help me for this issue?
On windows platforms you musst replace inside the file path the "\" with an "/"
Like this:
$file = str_replace ("\\", "/", $_FILES['photography_attachment']['tmp_name']);
if(is_uploaded_file($file)) {
[...]
}
Or use the php build in method, for all systems:
$file = realpath($_FILES['photography_attachment']['tmp_name']);
if(is_uploaded_file($file)) {
[...]
}
Here is the file upload code. It works in such a way that it accepts all the image extensions. But it needs to validate the file type (video, word doc etc). I need it to only upload images. For an example what happens now is that when I select a word document and submit my form, it shows a bunch of errors, inserts the record but not the file. What should happen is that, if the file is anything other than an image, it should not let the user insert the record. Should get an error message saying to check the file type when the form is submitted. Please assist me in achieving this.
if( isset($_FILES['img']) )
{
//resizing the image
$image = new SimpleImage();
$image->load($_FILES['img']['tmp_name']);
$image->resizeToHeight(180);
$info = pathinfo($_FILES['img']['name']);
$file = 'uploads/' . basename($_FILES['img']['name'],'.'.$info['extension']) . '.png';
if ($image->save($file))
{
if($fp = fopen($file , 'rb'))
{
$data = fread($fp, filesize($file));
//encoding the the image only to text so can be stored in DB
$data = base64_encode($data);
fclose($fp);
}
}
else
{
$error = '<p id="failed">Invalid Image</p>';
}
You need to check MIME type on the image, something like that:
if (isset($_FILES['img'])) {
$file = $_FILES['img'];
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $file['tmp_name']);
finfo_close($finfo);
if (strpos($mime, 'image') === false) {
die('The submitted file is not an image!');
}
// Uploading code..
}
If mime string has 'image' in it, then it's image. Hope that will help.
In older PHP versions you can use mime_content_type. However if you have PHP > 5.3 you should use the finfo_* functions
You should also check is_uploaded_file() rather than isset()
if( is_uploaded_file( $_FILES['img']['tmp_name'] ) ) {
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$type = finfo_file( $_FILES['img']['tmp_name'] );
if( $type == 'image/gif' ) { // for example
// do stuff
}
}
I have an upload script which uploads files to hosting and the redirects to success urlcode of upload script is as below. I want to get value from this to success url.
<?php
// Folder to upload files to. Must end with slash /
define('DESTINATION_FOLDER',$_SERVER['DOCUMENT_ROOT'].'/upload/');
// Maximum allowed file size, Kb
// Set to zero to allow any size
define('MAX_FILE_SIZE', 0);
// Upload success URL. User will be redirected to this page after upload.
define('SUCCESS_URL','http://sap.layyah.info/result.php');
// Allowed file extensions. Will only allow these extensions if not empty.
// Example: $exts = array('avi','mov','doc');
$exts = array();
// rename file after upload? false - leave original, true - rename to some unique filename
define('RENAME_FILE', false);
// put a string to append to the uploaded file name (after extension);
// this will reduce the risk of being hacked by uploading potentially unsafe files;
// sample strings: aaa, my, etc.
define('APPEND_STRING', '');
####################################################################
END OF SETTINGS. DO NOT CHANGE BELOW
####################################################################
// Allow script to work long enough to upload big files (in seconds, 2 days by default)
#set_time_limit(172800);
// following may need to be uncommented in case of problems
// ini_set("session.gc_maxlifetime","10800");
function showUploadForm($message='') {
$max_file_size_tag = '';
if (MAX_FILE_SIZE > 0) {
// convert to bytes
$max_file_size_tag = "<input name='MAX_FILE_SIZE' value='".(MAX_FILE_SIZE*1024)."' type='hidden' >\n";
}
// Load form template
include ('file-upload.html');
}
// errors list
$errors = array();
$message = '';
// we should not exceed php.ini max file size
$ini_maxsize = ini_get('upload_max_filesize');
if (!is_numeric($ini_maxsize)) {
if (strpos($ini_maxsize, 'M') !== false)
$ini_maxsize = intval($ini_maxsize)*1024*1024;
elseif (strpos($ini_maxsize, 'K') !== false)
$ini_maxsize = intval($ini_maxsize)*1024;
elseif (strpos($ini_maxsize, 'G') !== false)
$ini_maxsize = intval($ini_maxsize)*1024*1024*1024;
}
if ($ini_maxsize < MAX_FILE_SIZE*1024) {
$errors[] = "Alert! Maximum upload file size in php.ini (upload_max_filesize) is less than script's MAX_FILE_SIZE";
}
// show upload form
if (!isset($_POST['submit'])) {
showUploadForm(join('',$errors));
}
// process file upload
else {
while(true) {
// make sure destination folder exists
if (!#file_exists(DESTINATION_FOLDER)) {
$errors[] = "Destination folder does not exist or no permissions to see it.";
break;
}
// check for upload errors
$error_code = $_FILES['filename']['error'];
if ($error_code != UPLOAD_ERR_OK) {
switch($error_code) {
case UPLOAD_ERR_INI_SIZE:
// uploaded file exceeds the upload_max_filesize directive in php.ini
$errors[] = "File is too big (1).";
break;
case UPLOAD_ERR_FORM_SIZE:
// uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form
$errors[] = "File is too big (2).";
break;
case UPLOAD_ERR_PARTIAL:
// uploaded file was only partially uploaded.
$errors[] = "Could not upload file (1).";
break;
case UPLOAD_ERR_NO_FILE:
// No file was uploaded
$errors[] = "Could not upload file (2).";
break;
case UPLOAD_ERR_NO_TMP_DIR:
// Missing a temporary folder
$errors[] = "Could not upload file (3).";
break;
case UPLOAD_ERR_CANT_WRITE:
// Failed to write file to disk
$errors[] = "Could not upload file (4).";
break;
case 8:
// File upload stopped by extension
$errors[] = "Could not upload file (5).";
break;
} // switch
// leave the while loop
break;
}
// get file name (not including path)
$filename = #basename($_FILES['filename']['name']);
// filename of temp uploaded file
$tmp_filename = $_FILES['filename']['tmp_name'];
$file_ext = #strtolower(#strrchr($filename,"."));
if (#strpos($file_ext,'.') === false) { // no dot? strange
$errors[] = "Suspicious file name or could not determine file extension.";
break;
}
$file_ext = #substr($file_ext, 1); // remove dot
// check file type if needed
if (count($exts)) { /// some day maybe check also $_FILES['user_file']['type']
if (!#in_array($file_ext, $exts)) {
$errors[] = "Files of this type are not allowed for upload.";
break;
}
}
// destination filename, rename if set to
$dest_filename = $filename;
if (RENAME_FILE) {
$dest_filename = md5(uniqid(rand(), true)) . '.' . $file_ext;
}
// append predefined string for safety
$dest_filename = $dest_filename . APPEND_STRING;
// get size
$filesize = intval($_FILES["filename"]["size"]); // filesize($tmp_filename);
// make sure file size is ok
if (MAX_FILE_SIZE > 0 && MAX_FILE_SIZE*1024 < $filesize) {
$errors[] = "File is too big (3).";
break;
}
if (!#move_uploaded_file($tmp_filename , DESTINATION_FOLDER . $dest_filename)) {
$errors[] = "Could not upload file (6).";
break;
}
// redirect to upload success url
header('Location: ' . SUCCESS_URL);
die();
break;
} // while(true)
// Errors. Show upload form.
$message = join('',$errors);
showUploadForm($message);
}
?>
I want to show $dest_filename on SUCCESS_URL I have tried include and echo but it is not working
In Success URL I am Using:
<?php
if(isset($_GET['uploaded_file_url'])){
$var_1 = $_GET['uploaded_file_url'];
echo $var_1;
}
echo 'Click here for uploaded file!;
Is this what you're after??
// redirect to upload success url
header('Location: '.SUCCESS_URL."?uploaded_file_url=".DESTINATION_FOLDER."/".$dest_filename);
die();
In your successful url script put this at the top of your page:
if(isset($_GET['uploaded_file_url'])){
$var_1 = $_GET['uploaded_file_url'];
echo $var_1;
}
If you want a hyperlink to the url of that file (for download etc), then just wrap a tags around it like so:
echo 'Click here for uploaded file!;
Try to use POST and GET to pass the string on the URL.
I have an upload script that I found online and modified a little. I need a way to make sure that every file that is uploaded has a unique name; something short at first and as the number of files increase, the length of the name can increase too. My script I've used is...
<?php
// Folder to upload files to. Must end with slash /
define('DESTINATION_FOLDER','../uploads/');
// Maximum allowed file size, Kb
// Set to zero to allow any size
define('MAX_FILE_SIZE', 10240);
// Upload success URL. User will be redirected to this page after upload.
define('SUCCESS_URL','my info');
// Allowed file extensions. Will only allow these extensions if not empty.
// Example: $exts = array('avi','mov','doc');
$exts = array('jpg', 'jpeg', 'png', 'gif');
// rename file after upload? false - leave original, true - rename to some unique filename
define('RENAME_FILE', true);
// put a string to append to the uploaded file name (after extension);
// this will reduce the risk of being hacked by uploading potentially unsafe files;
// sample strings: aaa, my, etc.
define('APPEND_STRING', '');
// Need uploads log? Logs would be saved in the MySql database.
define('DO_LOG', true);
// MySql data (in case you want to save uploads log)
define('DB_HOST','my info'); // host, usually localhost
define('DB_DATABASE','my info'); // database name
define('DB_USERNAME','my info'); // username
define('DB_PASSWORD','my info'); // password
/*CREATE TABLE uploads_log (
log_id int(11) unsigned NOT NULL auto_increment,
log_filename varchar(128) default '',
log_size int(10) default 0,
log_ip varchar(24) default '',
log_date timestamp,
PRIMARY KEY (log_id),
KEY (log_filename)
);*/
####################################################################
### END OF SETTINGS. DO NOT CHANGE BELOW
####################################################################
// Allow script to work long enough to upload big files (in seconds, 2 days by default)
#set_time_limit(172800);
// following may need to be uncommented in case of problems
// ini_set("session.gc_maxlifetime","10800");
function showUploadForm($message='') {
$max_file_size_tag = '';
if (MAX_FILE_SIZE > 0) {
// convert to bytes
$max_file_size_tag = "<input name='MAX_FILE_SIZE' value='".(MAX_FILE_SIZE*1024)."' type='hidden' >\n";
}
// Load form template
include ('index.php');
}
// errors list
$errors = array();
$message = '';
// we should not exceed php.ini max file size
$ini_maxsize = ini_get('upload_max_filesize');
if (!is_numeric($ini_maxsize)) {
if (strpos($ini_maxsize, 'M') !== false)
$ini_maxsize = intval($ini_maxsize)*1024*1024;
elseif (strpos($ini_maxsize, 'K') !== false)
$ini_maxsize = intval($ini_maxsize)*1024;
elseif (strpos($ini_maxsize, 'G') !== false)
$ini_maxsize = intval($ini_maxsize)*1024*1024*1024;
}
if ($ini_maxsize < MAX_FILE_SIZE*1024) {
$errors[] = "Alert! Maximum upload file size in php.ini (upload_max_filesize) is less than script's MAX_FILE_SIZE";
}
// show upload form
if (!isset($_POST['submit'])) {
showUploadForm(join('',$errors));
}
// process file upload
else {
while(true) {
// make sure destination folder exists
if (!#file_exists(DESTINATION_FOLDER)) {
$errors[] = "Destination folder does not exist or no permissions to see it.";
break;
}
// check for upload errors
$error_code = $_FILES['filename']['error'];
if ($error_code != UPLOAD_ERR_OK) {
switch($error_code) {
case UPLOAD_ERR_INI_SIZE:
// uploaded file exceeds the upload_max_filesize directive in php.ini
$errors[] = "File is too big (1).";
break;
case UPLOAD_ERR_FORM_SIZE:
// uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form
$errors[] = "File is too big (2).";
break;
case UPLOAD_ERR_PARTIAL:
// uploaded file was only partially uploaded.
$errors[] = "Could not upload file (1).";
break;
case UPLOAD_ERR_NO_FILE:
// No file was uploaded
$errors[] = "Could not upload file (2).";
break;
case UPLOAD_ERR_NO_TMP_DIR:
// Missing a temporary folder
$errors[] = "Could not upload file (3).";
break;
case UPLOAD_ERR_CANT_WRITE:
// Failed to write file to disk
$errors[] = "Could not upload file (4).";
break;
case 8:
// File upload stopped by extension
$errors[] = "Could not upload file (5).";
break;
} // switch
// leave the while loop
break;
}
// get file name (not including path)
$filename = #basename($_FILES['filename']['name']);
// filename of temp uploaded file
$tmp_filename = $_FILES['filename']['tmp_name'];
$file_ext = #strtolower(#strrchr($filename,"."));
if (#strpos($file_ext,'.') === false) { // no dot? strange
$errors[] = "Suspicious file name or could not determine file extension.";
break;
}
$file_ext = #substr($file_ext, 1); // remove dot
// check file type if needed
if (count($exts)) { /// some day maybe check also $_FILES['user_file']['type']
if (!#in_array($file_ext, $exts)) {
$errors[] = "Files of this type are not allowed for upload.";
break;
}
}
// destination filename, rename if set to
$dest_filename = $filename;
if (RENAME_FILE) {
$dest_filename = md5(uniqid(rand(), true)) . '.' . $file_ext;
}
// append predefined string for safety
$dest_filename = $dest_filename . APPEND_STRING;
// get size
$filesize = intval($_FILES["filename"]["size"]); // filesize($tmp_filename);
// make sure file size is ok
if (MAX_FILE_SIZE > 0 && MAX_FILE_SIZE*1024 < $filesize) {
$errors[] = "File is too big (3).";
break;
}
if (!#move_uploaded_file($tmp_filename , DESTINATION_FOLDER . $dest_filename)) {
$errors[] = "Could not upload file (6).";
break;
}
if (DO_LOG) {
// Establish DB connection
$link = #mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD);
if (!$link) {
$errors[] = "Could not connect to mysql.";
break;
}
$res = #mysql_select_db(DB_DATABASE, $link);
if (!$res) {
$errors[] = "Could not select database.";
break;
}
/*$m_ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$m_size = $filesize;
$m_fname = mysql_real_escape_string($dest_filename);
$sql = "insert into _uploads_log (log_filename,log_size,log_ip) values ('$m_fname','$m_size','$m_ip')";
$res = #mysql_query($sql);
if (!$res) {
$errors[] = "Could not run query.";
break;
}*/
#mysql_free_result($res);
#mysql_close($link);
} // if (DO_LOG)
// redirect to upload success url
header('Location: ' . SUCCESS_URL);
die();
break;
} // while(true)
// Errors. Show upload form.
$message = join('',$errors);
showUploadForm($message);
}
?>
Plus, what other security procedures should I use? If you know any, could you please implement them into my code and re-post them? Thank you!!!
The code you've posted already includes the lines:
if (RENAME_FILE) {
$dest_filename = md5(uniqid(rand(), true)) . '.' . $file_ext;
}
This is a perfectly good way to generate a random unique file name in PHP. The string returned by md5() will be 32 characters long; you could safely truncate it a bit, but if you go much below 16 characters or so, you start risking collisions.
Of course, if you want to make sure there are no collisions, you could always just check whether the file exist and retry if it does. This would even allow you to use shorter filenames:
if (RENAME_FILE) {
do {
$dest_filename = substr(md5(uniqid(rand(), true)), 0, 8) . ".$file_ext";
} while (file_exists(DESTINATION_FOLDER . $dest_filename . APPEND_STRING));
}
This should give you a unique 8-character (+ extension) filename. Of course, this will start slowing down after about 231 ≈ 2 billion uploaded files, and will fail completely at 232 ≈ 4 billion.
Please could someone show me where i need to change the code so that the image uploaded is renamed to "freddy" for e.g.
But still carries the correct existing extension i.e jpg, png, gif.
Thanks In Advance
<?php
// define a constant for the maximum upload size
define ('MAX_FILE_SIZE', 1024 * 50);
if (array_key_exists('upload', $_POST)) {
// define constant for upload folder
define('UPLOAD_DIR', '/home/richard/public_html/testing/editable-images/');
// replace any spaces in original filename with underscores
$file = str_replace(' ', '_', $_FILES['image']['name']);
// create an array of permitted MIME types
$permitted = array('image/gif', 'image/jpeg', 'image/pjpeg',
'image/png');
// upload if file is OK
if (in_array($_FILES['image']['type'], $permitted)
&& $_FILES['image']['size'] > 0
&& $_FILES['image']['size'] <= MAX_FILE_SIZE) {
switch($_FILES['image']['error']) {
case 0:
// check if a file of the same name has been uploaded
// Uncomment to stop overwritten files >>>> if (!file_exists(UPLOAD_DIR . $file)) {
// move the file to the upload folder and rename it
$success =
move_uploaded_file($_FILES['image']['tmp_name'], UPLOAD_DIR .
$file);
// Uncomment to stop overwritten files >>>> } else {
// Uncomment to stop overwritten files >>>> $result = 'A file of the same name already exists.';
// Uncomment to stop overwritten files >>>>> }
if ($success) {
$result = "$file uploaded successfully.";
} else {
$result = "Error uploading $file. Please try again.";
}
break;
case 3:
case 6:
case 7:
case 8:
$result = "Error uploading $file. Please try again.";
break;
case 4:
$result = "You didn't select a file to be uploaded.";
}
} else {
$result = "$file is either too big or not an image.";
}
}
?>
// get file extension
$ext = end(explode($_FILES['image']['name']));
// name your file and preserve file extension
$file = "freddy.".$ext;
// create an array of permitted MIME types
....
Check description of method move_uploaded_file here