How do l make a function that validates and image - php

l have used the function below but its allowing even pdf to be uploaded
and its not checking if its an image
function image_allowed($file_extn) {
$allowed = array('jpg','jpeg','gif','png');
$file_name = $_FILES['image']['image_name'];
$file_extn = strtolower(end(explode('.', $file_name)));
$file_temp = $_FILES['image']['tmp_name'];
if (in_array($allowed,$file_extn )=== true){
return true;
}else {
return false;
}
and l checked using the code below and l dont know were lam getting it wrong
if (image_allowed($_POST['image'])=== true) {
$errors[] = ' images only are allowed.';
and l would love to know any checks that l might have ommited here


While comparing extensions might do the trick, it's not very safe as it easy to fake an extension. I would advise to check the mime types of the files.
Option 1 - using finfo
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$file_type = finfo_file($finfo, "image.gif");
finfo_close($finfo);
Output for this case: image/gif
Just remember to change your $allowed array accordingly.
You can see a list of possible mime types for images at wikipedia.
Option 2 - Using exif-imagetype
exif_imagetype('image.gif')
Just notice that in that case your $allowed array should contain constants that represent possible return values. (For further information look at the manual - link above)


You can check your image type using pathinfo (http://php.net/manual/en/function.pathinfo.php):
$path_parts = pathinfo('/your/image/path/');
echo $path_parts['extension']; // Your extension...
In your function code:
function image_allowed($imagePath) {
$allowed = array('jpg','jpeg','gif','png');
$myExtension = pathinfo($imagePath);
if(in_array($myExtension['extension'], $allowed)
return true;
else
return false;
}


You need to use like this:
function image_allowed() {
$allowed = array('jpg','jpeg','gif','png');
$file_name = $_FILES['image']['name'];
$file_extn = strtolower(end(explode('.', $file_name)));
$file_temp = $_FILES['image']['tmp_name'];
if (in_array($file_extn,$allowed)=== true){
return true;
}
return false;
}
if (image_allowed()=== false) {
$errors[] = ' images only are allowed.';
}else{
//save image or something else
}

Related

Type file (PNG or JPEG)

function upload(&$model){
if($_SERVER['REQUEST_METHOD'] === 'POST'){
$file = $_FILES['file'];
$file_name = $file['name'];
$file_ext2 = explode('.', $file_name);
$file_extenstion = strtolower(end($file_ext2));
$finfo = finfo_open(FILEINFO_MIME_TYPE);
echo(finfo_file($finfo, $file['tmp_name']));
echo($file['type']);
}
return "superliga_view";
}
Why
echo(finfo_file($finfo, $file['tmp_name']));
prints image/jpeg, but
echo($file['type']);
prints "image/png"?
I try make watemark, but
$image = imagecreatefrompng($target);
sometimes throws errors due to wrong file type. With small files php always reads them as png, but with large files it reads them as jpeg.

how to check uploaded file is video and make ensure really video type

Selected file is not notepad file with extension avi, mp4 etc.
I tried this:
$file_allowed = array('gif','png' ,'jpg','avi','mp4','wmv','mov','flv','webm','ogv','mp3','m4a','ogg','oga');
$uploaded_filename = $_FILES['attachment']['name'];
$file_ext = pathinfo($uploaded_filename, PATHINFO_EXTENSION);
if(!in_array($file_ext,$file_allowed) )
{
exit;
}

Try this variable for validation
$_FILES["attachment"]["type"];

Try changing your code like this:
$file_allowed = array('gif','png' ,'jpg','avi','mp4','wmv','mov','flv','webm','ogv','mp3','m4a','ogg','oga');
$uploaded_filename = $_FILES["attachment"]["type"];
$file_ext = pathinfo($uploaded_filename, PATHINFO_EXTENSION);
if(!in_array($file_ext,$file_allowed) ) {
exit;
}

Upload image according to name in PHP

Suppose there are 2 same images in different names. I want to upload these images & put them in different folder. Suppose, img1.jpg & a-img1.jpg are the images. Now img1.jpg will go on "files/images/" location & a-img1.jpg will go on "files/a-images/" location. I've successfully manage to upload images but it'll only go to one destination folder. This is my code,
$upload_errors = 0;
$images= $_FILES['img'];
$img_id = get_new_image_id();
$image_ok = true;
$queries = array();
$allowed_exts = array('jpg', 'png', 'jpeg', 'gif');
foreach ($images['tmp_name'] as $key => $val ) {
$fileName = $images['name'][$key];
$fileSize = $images['size'][$key];
$fileSize = round($fileSize/1024);
$fileTemp = $images['tmp_name'][$key];
$path_parts = pathinfo($fileName);
$fileExt = $path_parts['extension'];
$fileExt = strtolower($fileExt);
if($fileSize > 2*1024){
$image_ok = false;
}
if(!in_array($fileExt, $allowed_exts)){
$image_ok = false;
}
if($image_ok){
$upload_link = "files/images/".$img_id.".".$fileExt;
$tupload_link = "files/a-images/".$img_id.".".$fileExt;
move_uploaded_file($fileTemp, $upload_link);
move_uploaded_file($fileTemp, $tupload_link);
$img_id++;
}else{
$upload_errors++;
}
Is there any way to identify an image file like "a-img1.jpg"? I need this help badly. Tnx in advance!

Since you already moved the file a second move from the same source won't work. Maybe you should copy the file the second time.

You can use this function to see if the string starts with "a-":
function startsWith($haystack, $needle){
return strpos($haystack, $needle) === 0;
}
So you would do something like:
if(startsWith($img_id, "a-")){
$upload_link = "files/a-images/".$img_id.".".$fileExt;
}else{
$upload_link = "files/images/".$img_id.".".$fileExt;
}
move_uploaded_file($fileTemp, $upload_link);

Secure image upload in php

I am making an image upload function which I can re-use in my code, which has to be 100% secure. Please tell me if you can spot and security holes in my initial code;
function Upload($file)
{
list($width,$height,$type,$attr) = getimagesize($file);
$mime = image_type_to_mime_type($type);
if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png"))
{
return 'Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed';
}else{
$Newname = md5('sillysalt'.time());
if (move_uploaded_file($file, 'images/'.$Newname.$type))
{
return 'Uploaded!';
}else{
return 'Server Error!';
}
}
}
UPDATE This is how far I've gotten with your help and some research, please tell me what you think. I don't mind much about the speed, for me it's all about being 100% secure, or as close to.
function Upload($file)
{
list($width,$height,$type,$attr) = getimagesize($file);
$mime = image_type_to_mime_type($type);
$folder = 'images/';
// mime checks add a layer of security that keeps out less sophisticated attackers
if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png"))
{
return 'Error3: Upload file type un-recognized. Only .JPG or .PNG images allowed';
}else{
// If the file has no width its not a valid image
if(!$width)
{
$Newname = md5('sillysalt'.time());
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime2 = finfo_file($finfo, $folder.$Newname);
// Should I remove this second mime check? since the info comes form the same spoofable source in the image
if(($mime != "image/jpeg") && ($mime != "image/pjpeg") && ($mime != "image/png"))
{
$fileType = exif_imagetype($file);
$allowed = array(IMAGETYPE_JPEG, IMAGETYPE_PNG);
if(!in_array($fileType, $allowed))
{
// don't overwrite an existing file
$i = 0;
$parts = pathinfo($file);
while(file_exists($folder . $name))
{
$i++;
$name = $Newname."-".$i.".".$parts["extension"];
}
if(move_uploaded_file($file, $folder.$name))
{
// set good permissions for the file
chmod($name, 0644);
return 'Uploaded!';
}else{
return 'Server Error!';
}
}
}
}
}
}

As long as you don't use the FileInfo (http://www.php.net/manual/en/ref.fileinfo.php) extensions from php to check the mime type, your function is not secure at all (think later you'll want to upload pdf's, excels, etc).
Also, md5 over md5 does nothing than increasing the collision chances.
L.E: Something as simple as the following should do it:
function getExtensionToMimeTypeMapping() {
return array(
'ai'=>'application/postscript',
'aif'=>'audio/x-aiff',
'aifc'=>'audio/x-aiff',
'aiff'=>'audio/x-aiff',
'anx'=>'application/annodex',
'asc'=>'text/plain',
'au'=>'audio/basic',
'avi'=>'video/x-msvideo',
'axa'=>'audio/annodex',
'axv'=>'video/annodex',
'bcpio'=>'application/x-bcpio',
'bin'=>'application/octet-stream',
'bmp'=>'image/bmp',
'c'=>'text/plain',
'cc'=>'text/plain',
'ccad'=>'application/clariscad',
'cdf'=>'application/x-netcdf',
'class'=>'application/octet-stream',
'cpio'=>'application/x-cpio',
'cpt'=>'application/mac-compactpro',
'csh'=>'application/x-csh',
'css'=>'text/css',
'csv'=>'text/csv',
'dcr'=>'application/x-director',
'dir'=>'application/x-director',
'dms'=>'application/octet-stream',
'doc'=>'application/msword',
'drw'=>'application/drafting',
'dvi'=>'application/x-dvi',
'dwg'=>'application/acad',
'dxf'=>'application/dxf',
'dxr'=>'application/x-director',
'eps'=>'application/postscript',
'etx'=>'text/x-setext',
'exe'=>'application/octet-stream',
'ez'=>'application/andrew-inset',
'f'=>'text/plain',
'f90'=>'text/plain',
'flac'=>'audio/flac',
'fli'=>'video/x-fli',
'flv'=>'video/x-flv',
'gif'=>'image/gif',
'gtar'=>'application/x-gtar',
'gz'=>'application/x-gzip',
'h'=>'text/plain',
'hdf'=>'application/x-hdf',
'hh'=>'text/plain',
'hqx'=>'application/mac-binhex40',
'htm'=>'text/html',
'html'=>'text/html',
'ice'=>'x-conference/x-cooltalk',
'ief'=>'image/ief',
'iges'=>'model/iges',
'igs'=>'model/iges',
'ips'=>'application/x-ipscript',
'ipx'=>'application/x-ipix',
'jpe'=>'image/jpeg',
'jpeg'=>'image/jpeg',
'jpg'=>'image/jpeg',
'js'=>'application/x-javascript',
'kar'=>'audio/midi',
'latex'=>'application/x-latex',
'lha'=>'application/octet-stream',
'lsp'=>'application/x-lisp',
'lzh'=>'application/octet-stream',
'm'=>'text/plain',
'man'=>'application/x-troff-man',
'me'=>'application/x-troff-me',
'mesh'=>'model/mesh',
'mid'=>'audio/midi',
'midi'=>'audio/midi',
'mif'=>'application/vnd.mif',
'mime'=>'www/mime',
'mov'=>'video/quicktime',
'movie'=>'video/x-sgi-movie',
'mp2'=>'audio/mpeg',
'mp3'=>'audio/mpeg',
'mpe'=>'video/mpeg',
'mpeg'=>'video/mpeg',
'mpg'=>'video/mpeg',
'mpga'=>'audio/mpeg',
'ms'=>'application/x-troff-ms',
'msh'=>'model/mesh',
'nc'=>'application/x-netcdf',
'oga'=>'audio/ogg',
'ogg'=>'audio/ogg',
'ogv'=>'video/ogg',
'ogx'=>'application/ogg',
'oda'=>'application/oda',
'pbm'=>'image/x-portable-bitmap',
'pdb'=>'chemical/x-pdb',
'pdf'=>'application/pdf',
'pgm'=>'image/x-portable-graymap',
'pgn'=>'application/x-chess-pgn',
'png'=>'image/png',
'pnm'=>'image/x-portable-anymap',
'pot'=>'application/mspowerpoint',
'ppm'=>'image/x-portable-pixmap',
'pps'=>'application/mspowerpoint',
'ppt'=>'application/mspowerpoint',
'ppz'=>'application/mspowerpoint',
'pre'=>'application/x-freelance',
'prt'=>'application/pro_eng',
'ps'=>'application/postscript',
'qt'=>'video/quicktime',
'ra'=>'audio/x-realaudio',
'ram'=>'audio/x-pn-realaudio',
'ras'=>'image/cmu-raster',
'rgb'=>'image/x-rgb',
'rm'=>'audio/x-pn-realaudio',
'roff'=>'application/x-troff',
'rpm'=>'audio/x-pn-realaudio-plugin',
'rtf'=>'text/rtf',
'rtx'=>'text/richtext',
'scm'=>'application/x-lotusscreencam',
'set'=>'application/set',
'sgm'=>'text/sgml',
'sgml'=>'text/sgml',
'sh'=>'application/x-sh',
'shar'=>'application/x-shar',
'silo'=>'model/mesh',
'sit'=>'application/x-stuffit',
'skd'=>'application/x-koan',
'skm'=>'application/x-koan',
'skp'=>'application/x-koan',
'skt'=>'application/x-koan',
'smi'=>'application/smil',
'smil'=>'application/smil',
'snd'=>'audio/basic',
'sol'=>'application/solids',
'spl'=>'application/x-futuresplash',
'spx'=>'audio/ogg',
'src'=>'application/x-wais-source',
'step'=>'application/STEP',
'stl'=>'application/SLA',
'stp'=>'application/STEP',
'sv4cpio'=>'application/x-sv4cpio',
'sv4crc'=>'application/x-sv4crc',
'swf'=>'application/x-shockwave-flash',
't'=>'application/x-troff',
'tar'=>'application/x-tar',
'tcl'=>'application/x-tcl',
'tex'=>'application/x-tex',
'texi'=>'application/x-texinfo',
'texinfo'=>'application/x-texinfo',
'tif'=>'image/tiff',
'tiff'=>'image/tiff',
'tr'=>'application/x-troff',
'tsi'=>'audio/TSP-audio',
'tsp'=>'application/dsptype',
'tsv'=>'text/tab-separated-values',
'txt'=>'text/plain',
'unv'=>'application/i-deas',
'ustar'=>'application/x-ustar',
'vcd'=>'application/x-cdlink',
'vda'=>'application/vda',
'viv'=>'video/vnd.vivo',
'vivo'=>'video/vnd.vivo',
'vrml'=>'model/vrml',
'wav'=>'audio/x-wav',
'wrl'=>'model/vrml',
'xbm'=>'image/x-xbitmap',
'xlc'=>'application/vnd.ms-excel',
'xll'=>'application/vnd.ms-excel',
'xlm'=>'application/vnd.ms-excel',
'xls'=>'application/vnd.ms-excel',
'xlw'=>'application/vnd.ms-excel',
'xml'=>'application/xml',
'xpm'=>'image/x-xpixmap',
'xspf'=>'application/xspf+xml',
'xwd'=>'image/x-xwindowdump',
'xyz'=>'chemical/x-pdb',
'zip'=>'application/zip',
);
}
function getMimeType($filePath) {
if (!is_file($filePath)) {
return false;
}
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $filePath);
finfo_close($finfo);
return $mime;
}
function upload($filePath, $destinationDir = 'images', array $allowedMimes = array()) {
if (!is_file($filePath) || !is_dir($destinationDir)) {
return false;
}
if (!($mime = getMimeType($filePath))) {
return false;
}
if (!in_array($mime, $allowedMimes)) {
return false;
}
$ext = null;
$extMapping = getExtensionToMimeTypeMapping();
foreach ($extMapping as $extension => $mimeType) {
if ($mimeType == $mime) {
$ext = $extension;
break;
}
}
if (empty($ext)) {
$ext = pathinfo($filePath, PATHINFO_EXTENSION);
}
if (empty($ext)) {
return false;
}
$fileName = md5(uniqid(rand(0, time()), true)) . '.' . $ext;
$newFilePath = $destinationDir.'/'.$fileName;
if(!rename($filePath, $newFilePath)) {
return false;
}
return $fileName;
}
// use it
if (isset($_FILES['something']['tmp_name'])) {
$file = $_FILES['something']['tmp_name'];
$storagePath = 'images'; // this is relative to this script, better use absolute path.
$allowedMimes = array('image/png', 'image/jpg', 'image/gif', 'image/pjpeg');
$fileName = upload($file, $storagePath, $allowedMimes);
if (!$fileName) {
exit ('Your file type is not allowed.');
} else {
// check if file is image, optional, in case you allow multiple types of files.
// $imageInfo = #getimagesize($storagePath.'/'.$fileName);
exit ("Your uploaded file is {$fileName} and can be found at {$storagePath}/{$fileName}");
}
}

Stop filtering it by mime type it is not safe!
Client can send different mime types with different file extensions. So, you need to check file extension.
edit:
I think I have been misunderstood, I wrote the answer to tell that checking mime type to determine file type is not a good way, the best way to determine the file type is checking file extension. So, I don't mean that checking file extension is enough. Either checking only file extension or mime type is not safe way.
What to do?
1-Check mime type
2-Check file extension
3- decode file name
4- check file content consistency (if possible)
5- regenerate file content (if possible)
I know that attackers can bypass first and second way by using "null byte hack" and "mime type bypass"
So, 3,4 and 5 is so important for security.

how to check whether file is image or video type in php version 5.2.9?

how to check whether file is image or video type in php version 5.2.9

$mime = mime_content_type($file);
if(strstr($mime, "video/")){
// this code for video
}else if(strstr($mime, "image/")){
// this code for image
}
Should work for most file extentions.

See my answer to
How can I check if a file is a mp3 or image file?
Example Code
function getMimeType($filename)
{
$mimetype = false;
if(function_exists('finfo_fopen')) {
// open with FileInfo
} elseif(function_exists('getimagesize')) {
// open with GD
} elseif(function_exists('exif_imagetype')) {
// open with EXIF
} elseif(function_exists('mime_content_type')) {
$mimetype = mime_content_type($filename);
}
return $mimetype;
}

I use the following code which IMO is more universal than in the first and the most upvoted answer:
$mimeType = mime_content_type($filename);
$fileType = explode('/', $mimeType)[0];
I hope it was helpful for anyone.

You can check the MIME type using the finfo_file function
Example from the help page
<?php
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
foreach (glob("*") as $filename) {
echo finfo_file($finfo, $filename) . "\n";
}
finfo_close($finfo);
?>
EDIT: after better checking your question, this won't work, finfo functions require PHP 5.3.0

if(isset($_FILES['my_file'])) {
$mime = $_FILES['my_file']['type'];
if(strstr($mime, "video/")){
$filetype = "video";
}else if(strstr($mime, "image/")){
$filetype = "image";
}else if(strstr($mime, "audio/")){
$filetype = "audio";
}

Rather old question, but for others looking at this in the future, I would handle this like so:
function getType($file): string
{
$mime_type = mime_content_type($file);
return strtok($mime_type, '/');
}
This method utilises strtok to return the portion of the $mime_type string before the first /.
For example, let's say $file has a $mime_type of video/mp4, the getType method will return video.

I use this code and it works very well.
$mimeType = $request->images->getMimeType();
$fileType = explode('/', $mimeType)[0];
if it was an image, this code will give you the image word in the $fileType and if it was a video this code will give you the video word in the $fileType, then you can check on it by the if conditions.
good luck

Categories