I am studying PHP but I don't get the right way by myself. I'd like having Img always required (and I check this in the form input required attribute) but I can decide if upload PDF or not. The script doesn't continue if I don't select both.
I have this:
// image select from form
$img = basename($_FILES['img']['name']);
$allow_img = array('jpg', 'png', 'jpeg');
$ext_img = explode('.', strtolower($_FILES['img']['name']));
$type_img= end($ext_img);
//pdf select from form
$pdf = basename($_FILES['pdf']['name']);
$allow_pdf = array('pdf');
$ext_pdf = explode('.', strtolower($_FILES['pdf']['name']));
$type_pdf= end($ext_pdf);
if ($img || $pdf) {
if(!in_array($type_img, $allow_img) || !in_array($type_pdf, $allow_pdf) ) {
echo "<p><a href='../admin.php'><img style='border:none;' src='../../img/arrow-left.png' /></a>Only jpg, png, jpeg and PDF.</p>";
}
}
Here you go a super fast way to accomplish this:
$filename = $_FILES['img']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
// allowed extensions
$allowed = array('jpeg', 'png', 'jpeg', 'gif');
if (in_array($ext, $allowed)) {
echo "<p><a href='../admin.php'><img style='border:none;' src='../../img/arrow-left.png' /></a>Only jpg, png, jpeg and PDF.</p>";
}
That's it :)
You need javascript for this.
Before you send return, you have check type of file.
Most likely the second basename() call crashes, since no $_FILES['pdf'] is present when no pdf file is uploaded. But you don't even check for an error here... Take a look into the http servers error log file, most likely you will see the error there.
That said: always look into the log files if something unexpected happens. And always test for a variables existance before you use it. And always do error checking when calling some function which might not return what you expect.
You can use pathinfo() inbuilt php function,
$File = $_FILES['image']['name'];
$Infos = pathinfo($File);
echo $extension = $info[extension];
echo "<pre>"; print_r($Infos); echo "</pre>";
$extension = strtolower( $extension);
if( $extension=='pdf'){
// do your stuff
}
Related
I want to check if an extension is part of an array:
So: if an extension is not part of a forbidden array; do something is allowed
$ext = $path_info['extension'];
$ForbiddenExts = array("php", "html", "htm");
if( $ext != in_array($ForbiddenExts)){
// do something allowed
Change your code to:
$ext = $path_info['extension'];
$ForbiddenExts = array("php", "html", "htm");
if(!in_array($ext, $ForbiddenExts))
{
// do something
}
Check this link for more explanation.
Other than using
if( $ext != in_array($ForbiddenExts)){
You can use
if(!in_array($ext, $ForbiddenExts)){
//your code
}
You have to practice checking the mime type too. Otherwise it may cause errors.
for eg: if someone edit the extension of a ".txt" file to ".pdf"
(assuning pdf is allowed type). Then if you don't check mime type, the
code will accept the file as pdf
Change your code to:
$fileName = 'banner.jpg';
$fileNameParts = explode('.', $fileName);
echo $ext = end($fileNameParts);
$allowed_extensions = array("jpg", "jpeg", "png");
if(in_array($ext, $allowed_extensions))
{
echo 'Allowed Extension';
// do something
}else{
echo 'Not Allowed Extension';
// do something
}
Check this link for more explanation.
I want get uploaded image extension.
As I know, best way is getimagesize() function.
but this function's mime, returns image/jpeg when image has .jpg or also .JPEG extension.
How can get exactly extension?
$ext = pathinfo($filename, PATHINFO_EXTENSION);
you can use image_type_to_extension function with image type returned by getimagesize:
$info = getimagesize($path);
$extension = image_type_to_extension($info[2]);
You can also use strrpos and substr functions to get extension of any file
$filePath="images/ajax-loader.gif";
$type=substr($filePath,strrpos($filePath,'.')+1);
echo "file type=".$type;
output: gif
if you want extension like .gif
$type=substr($filePath,strrpos($filePath,'.')+0);
output: .gif
$image = explode(".","test.file.hhh.kkk.jpg");
echo end($image);
One more way to do it:
$ext = strrchr($filename, "."); // .jpg
$file_ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
or to make it clean
$filename= $_FILES["file"]["name"];
$file_ext = pathinfo($filename,PATHINFO_EXTENSION);
You can also explode the file name with dots and take the end of the array as follows:
$ext = end(explode('.', 'image.name.gif'));
According to: Two different ways to find file extension in PHP
And a new way for you lol:
$ext = explode('.', 'file.name.lol.lolz.jpg');
echo $ext[count($ext) - 1];
For those who want to check if image type is JPEG, PNG or etc. You can use exif_imagetype function. This function reads the first bytes of an image and checks its signature. Here is a simple example from php.net:
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
echo 'The picture is not a gif';
}
?>
$size = getimagesize($filename);
$ext = explode('/', $size['mime'])[1];
I've read the Secure PHP Upload Scripts thread but I'm having difficulty getting this known good script to accept changes. I want this script to only allow .jpeg, .png, and .gif files. Could someone advise me on how to modify this script to do so?
<?php
$result=0;
if (trim($_POST["action"]) == "Upload File") { //**** User Clicked the Upload File Button
//*********** Execute the Following Code to Upload File *************
$imagename = basename($_FILES['image_file']['name']); // grab name of file
$result = #move_uploaded_file($_FILES['image_file']['tmp_name'], $imagename); // upload it
if ($result==1) echo("Successfully uploaded: <b>".$imagename."</b>"); // did it work?
} // end if
?>
<?php
if ($result==1) echo("<img src='".$imagename."'>"); // display the uploaded file
?>
$filename = $_FILES['image_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if($ext !== 'jpg' && $ext !== 'png' && $ext !== 'gif') {echo 'error';}
is a very bad idea for validation.
echo '<pre>';
$filename = 'image.php\0.jpg';
$extension = pathinfo($filename, PATHINFO_EXTENSION);
var_dump($ext);
The var_dump displays jpg
And the php function move_uploaded_file is vulnerable with null bytes \0.
After the move_uploaded_file the server will create a image.php file..
If you want to stop the upload before it reaches your server, you can filter it with javascript. See this SO answer for more information: stackoverflow.com/questions/71944/… – Kevin Apr 26 at 22:13
Never never never never neverever put trust in client side validation...
Coding a safe upload is hard. Very hard.
You can't trust file extensions or mime type because clients can change this.
If you only want an upload for gif, jpeg or png you could take these steps. With png you can have trouble because of the encoding that can bypass some of these.
Read the temp file by file_get_contents().
Run strip_tags() on it.
Create new images with the GD library
Serve the image by read() - Don't use include() or require()
Disable php engine on that directory
For the sake of brevity, i'm not doing any error checking.. but you can evaluate the extension of a file like this:
$filename = $_FILES['image_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if($ext !== 'jpg' && $ext !== 'png' && $ext !== 'gif') {echo 'error';}
I want get uploaded image extension.
As I know, best way is getimagesize() function.
but this function's mime, returns image/jpeg when image has .jpg or also .JPEG extension.
How can get exactly extension?
$ext = pathinfo($filename, PATHINFO_EXTENSION);
you can use image_type_to_extension function with image type returned by getimagesize:
$info = getimagesize($path);
$extension = image_type_to_extension($info[2]);
You can also use strrpos and substr functions to get extension of any file
$filePath="images/ajax-loader.gif";
$type=substr($filePath,strrpos($filePath,'.')+1);
echo "file type=".$type;
output: gif
if you want extension like .gif
$type=substr($filePath,strrpos($filePath,'.')+0);
output: .gif
$image = explode(".","test.file.hhh.kkk.jpg");
echo end($image);
One more way to do it:
$ext = strrchr($filename, "."); // .jpg
$file_ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
or to make it clean
$filename= $_FILES["file"]["name"];
$file_ext = pathinfo($filename,PATHINFO_EXTENSION);
You can also explode the file name with dots and take the end of the array as follows:
$ext = end(explode('.', 'image.name.gif'));
According to: Two different ways to find file extension in PHP
And a new way for you lol:
$ext = explode('.', 'file.name.lol.lolz.jpg');
echo $ext[count($ext) - 1];
For those who want to check if image type is JPEG, PNG or etc. You can use exif_imagetype function. This function reads the first bytes of an image and checks its signature. Here is a simple example from php.net:
<?php
if (exif_imagetype('image.gif') != IMAGETYPE_GIF) {
echo 'The picture is not a gif';
}
?>
$size = getimagesize($filename);
$ext = explode('/', $size['mime'])[1];
I used this code to check for the type of images,
$f_type=$_FILES['fupload']['type'];
if ($f_type== "image/gif" OR $f_type== "image/png" OR $f_type== "image/jpeg" OR $f_type== "image/JPEG" OR $f_type== "image/PNG" OR $f_type== "image/GIF")
{
$error=False;
}
else
{
$error=True;
}
but some users complain they get an error while uploading any type of images, while some others don't get any errors!
I was wondering if this fixes the problem:
if (mime_content_type($_FILES['fupload']['type']) == "image/gif"){...
Any comments?
Never use $_FILES..['type']. The information contained in it is not verified at all, it's a user-defined value. Test the type yourself. For images, exif_imagetype is usually a good choice:
$allowedTypes = array(IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
$detectedType = exif_imagetype($_FILES['fupload']['tmp_name']);
$error = !in_array($detectedType, $allowedTypes);
Alternatively, the finfo functions are great, if your server supports them.
In addition to #deceze, you may also finfo() to check the MIME-type of non-image-files:
$finfo = new finfo();
$fileMimeType = $finfo->file($path . $filename, FILEINFO_MIME_TYPE);
Sure you could check if it's an image with exif, but a better way I think is to do with finfo like this:
$allowed_types = array ( 'application/pdf', 'image/jpeg', 'image/png' );
$fileInfo = finfo_open(FILEINFO_MIME_TYPE);
$detected_type = finfo_file( $fileInfo, $_FILES['datei']['tmp_name'] );
if ( !in_array($detected_type, $allowed_types) ) {
die ( 'Please upload a pdf or an image ' );
}
finfo_close( $fileInfo );
The best way in my opinion is first to use getimagesize() followed by imagecreatefromstring().
$size = getimagesize($filename);
if ($size === false) {
throw new Exception("{$filename}: Invalid image.");
}
if ($size[0] > 2500 || $size[1] > 2500) {
throw new Exception("{$filename}: Image too large.");
}
if (!$img = #imagecreatefromstring(file_get_contents($filename))) {
throw new Exception("{$filename}: Invalid image content.");
}
Checking by getimagesize() prevents some DoS attacks, because we don't have to try to imagecreatefromstring() from every file provided by the user, either non-image file or file too big. Unfortunately, according to PHP docs cannot be relied on for checking image type content.
The imagecreatefromstring() finally tries to open the file as an image - if is succeeds - we have an image.
This is a simple, one line script that I use often.
$image = "/var/www/Core/temp/image.jpg";
$isImage = explode("/", mime_content_type())[0] == "image";
Basically I am using mime_content_type() to get something like "image/jpg" and then exploding it by "/" and checking against the first element of the array to see if it says "image".
I hope it works!
In PHP 5.5 I use this function for getting file type and check if image:
function getFileType( $file ) {
return image_type_to_mime_type( exif_imagetype( $file ) );
}
// Get file type
$file_type = getFileType( 'path/to/images/test.png' );
echo $file_type;
// Prints image/png
// 1. All images have mime type starting with "image"
// 2. No other non-image mime types contain string "image" in it
Then you could do:
if ( strpos( $filetype, 'image' ) !== false ) {
// This is an image
}
Complete list of mime types: http://www.sitepoint.com/web-foundations/mime-types-complete-list/
That last line is close. You can use:
if (mime_content_type($_FILES['fupload']['tmp_name']) == "image/gif"){...
In the case I'm currently working on, my $_FILES..['type'] reports itself as "text/csv", while both mime_content_type() and finfo() (suggested by others) report "text/plain.". As #deceze points out, $_FILES..['type'] is only useful to know what type a client thinks a file is.
you can try this
$file_extension = explode('.',$file['name']);
$file_extension = strtolower(end($file_extension));
$accepted_formate = array('jpeg','jpg','png');
if(in_array($file_extension,$accepted_formate)) {
echo "This is jpeg/jpg/png file";
} else {
echo $file_extension.' This is file not allowed !!';
}
WARNING: the following answer does not actually check the file type. It only checks the name. It is not suitable for actual security purposes.
EDIT: Don't Use this method as it serves no security check. I am leaving this answer here so that no one makes the same mistake like me by trying this.
I tried the following and it worked for me:
$allowed = array('gif','png' ,'jpg', 'pdf');
$filename = $_FILES['input_tag_name']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
echo 'error';
}
Source link