I'm trying to add the file extension to my file during upload. Since i'm finding it hard to do, i've already hard coded it to in small case .jpeg in my script. How do i get rid of the hard coded file extension and dynamically replace it with the original uploaded one because it could be gif, pdf etc.
<?php
$def_date=strtotime(date('Y-m-d H:i:s'));
$rename = "gwcl_".rand(0,1000000000000).$def_date.".jpg";
$file_loc = $_FILES['file']['tmp_name'];
$folder="../complains_photos/";
$new_file_name = strtolower($rename);
move_uploaded_file($file_loc,$folder.$new_file_name);
echo $new_file_name
?>
$_FILES['file']['tmp_name'] that you're using contains a temporary filename for the uploaded file. But if you want the original filename, including extension, then use $_FILES['file']['name'].
Related
I have written a php script which checks the image file for its extension, such as JPG, JPEG, PNG, GIF, uploaded through an HTML form.
Now comes my problem: anyone may upload any kind of file by giving it an extension of JPG, JPEG, PNG, GIF.
Can someone help me on that? One should strictly be able to upload only an image file and not any other file which carries just extension of Image file.
I tried hard... but failed... Here is the php script I have written
CHECK MY FULL CODE I HAVE WRITTEN & ITS WORKING FINE BUT WHEN I CHANGE ANY FILE EXTENSION WITH IMAGE EXTENSION ITS ALLOWING UPLOAD ON SERVER WHICH IS NOT SERCURE PLEASE SEE THIS FULL CODE AND ADD SOLUTION , THIS WILL HELP OTHERS TOO -THANK YOU https://www.dropbox.com/s/prza75dyo7usjqy/secure%20image%20upload%20with%20checking%20extension.txt?dl=0
if (isset($_POST['submit']))
$filename = $_FILES["file"]["name"];
$file_basename = substr($filename, 0, strripos($filename, '.')); // get file extention
$file_ext = substr($filename, strripos($filename, '.')); // get file name
$filesize = $_FILES["file"]["size"];
$allowed_file_types = array('.jpg','.png','.jpeg','.gif');
//instead of allowed file type i want to check image authenticity with MIME
if (in_array($file_ext,$allowed_file_types) && ($filesize < 100000))
You should use the fileinfo API, which makes you able to check a file MIME content-type by looking at its bytes, not its name.
An image MIME type always starts with image/, for example image/png.
$finfo = new finfo();
$mimeType = $finfo->file($_FILES['file']['tmp_name'], FILEINFO_MIME_TYPE);
$isImage = strpos($mimeType, 'image/') === 0;
If you want to be very restrictive on your allowed images, check the list of available MIME types.
Edit: be more specific
if (isset($_POST['submit'])) {
$filename = $_FILES["file"]["tmp_name"];
$filesize = $_FILES["file"]["size"];
$allowed_file_types = array('image/jpeg','image/png','image/gif');
$finfo = new finfo();
$mimeType = $finfo->file($filename, FILEINFO_MIME_TYPE);
$isImage = in_array($mimeType, $allowed_file_types);
if ($isImage && $filesize < 100000) {
The most secure way to check if something is really an image, is to open the file as an image and then re-generate it.
Things that are valid images can still carry loads of other information and sometimes can trick whatever is reading it. So the most safe thing is to take the pixels from the image, and regenerate it.
Extensions like fileinfo only check the first few bytes for a marker, but it's not 100% reliable. It might be good enough for you
I'm trying to get the file extension of uploaded image with
$ext = pathinfo($_FILES[$type]['name'], PATHINFO_EXTENSION);
it's working fine for the filenames having extension in it e.g image.png, pic.jpg etc but when i remove .png/.jpg from the filename e.g image, pic, it returns nothing.
Any idea how can i get the extension to be exact?
The exif_imagetype function does exactly that.
I am using move_file_upload on my server side in php so that client can allow users to upload their kml files to the server. I know that in order to check an image , in php I can use $check = getimagesize(file) but what would be the equivalent for a kml file check ?
I donot want to just check the extension of the file. I wish to know if infact the file is a valid kml file or not. If I only check the extension, someone can just post some other malicious file and change its extension to .kml
If you want to see if the file has the extension KML, you can use:
$filename = $_FILES["file"]["name"]; //or however you are getting the filename
$ext = end((explode(".",$filename)));
if($ext!="kml"){
//Extension is incorrect
}
Checking mime content can be helpful.
I am not quite sure what is the correct mime name of kml files but at least with checking in google it should be something as:
mime_content_type ($file) === 'application/vnd.google-earth.kml+xml'
How ever its possible that there are mimes set to 'application/xml' or 'text/xml' so extension validation is required as well ..
I want to ask, if I have a web form, and people use it to upload something to my db. If 2 persons uploaded the same file with the same name, in the uploads directory, one of them will replace the other. So I need to change the name of every file uploaded to db to : filename201405051200.pdf or jpg or...
Here we have the filename per example image1 and the numbers are the date and time of the uploads. So any help. I am using the code shown as an answer in the link below:
Uploading blob files/images into Mysql
I used this code:
$path = "../uploads/".$_FILES['file']['name'];
if(move_uploaded_file($_FILES["file"]["tmp_name"], $path.'_'.time())){
...
}
but now the format type of the file is replaced by the time. So if it is img.jpg it is now img85890338jpg and wont open properly
You can use pathinfo to extract the file extension:
$fileExt = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
After that you can create your new file name:
if(move_uploaded_file($_FILES["file"]["tmp_name"], $path.'_'.time().date().'.'.$fileExt)) {
}
I would like to have a check whether an uploaded file sent via email and not saved in the DB, allow only the following extensions.
Is this something secure?
$allowed = array('pdf','doc');
$filename = $_FILES['video_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
echo 'error';
}
No it isn't (a file could have two extensions : image.php.jpg).
If you are planning to upload only images, one good thing is to try to get image size with getimagesize and remove it from temp folder if it returns false