PHP Uploading files - image only checking
Solution 1
Yes, quite easily. But first off, you need some extra bits:
// never assume the upload succeeded
if ($_FILES['file']['error'] !== UPLOAD_ERR_OK) {
die("Upload failed with error code " . $_FILES['file']['error']);
}
$info = getimagesize($_FILES['file']['tmp_name']);
if ($info === FALSE) {
die("Unable to determine image type of uploaded file");
}
if (($info[2] !== IMAGETYPE_GIF) && ($info[2] !== IMAGETYPE_JPEG) && ($info[2] !== IMAGETYPE_PNG)) {
die("Not a gif/jpeg/png");
}
Relevant docs: file upload errors, getimagesize and image constants.
Solution 2
File path isn't necessarily the best way to check if an image really is an image. I could take a malicious javascript file, rename it to have the .jpg extension, and upload it. Now when you try to display it in your website, I may have just compromised your site.
Here is a function to validate it really is an image:
<?php
function isImage($img){
return (bool)getimagesize($img);
}
?>
Solution 3
try this:
<?php
function isimage(){
$type=$_FILES['my-image']['type'];
$extensions=array('image/jpg','image/jpe','image/jpeg','image/jfif','image/png','image/bmp','image/dib','image/gif');
if(in_array($type, $extensions)){
return true;
}
else
{
return false;
}
}
if(isimage()){
//do codes..
}
?>
TheBlackBenzKid
Ecommerce specialist with 15+ years of experience in development, design, marketing and management. Application Acceleration CDN, Load balancing and performance NodeJS, Vanilla JS, AngularJS IBM WebSphere Commerce Fast Fashion advocate - love ecommerce, love luxury fashion Oracle ATG Web Commerce OPENCART Stack: NodeJS, PHP, NGINX, Smarty or a JS view framework Omni channel and mutli channel advocate PHP/MySQL/HTML5/CSS3/JavaScript/Nginx/Rackspace/AWS/jQuery/SaSS also GULP over WebPack (some fanboy love for ya!) oh.. and DEFO FLASH and GIF! As Gif and Flash will always come back with a boom! 2018 Big fan of Blockchain, Cryptography, Hash graph and block chain development
Updated on November 18, 2020Comments
-
TheBlackBenzKid over 3 years
I have a simple PHP upload script I have started. I am not the best to PHP. Just looking for some suggestions.
I want to limit my script to only .JPG, .JPEG, .GIF and .PNG
Is this possible?
<?php /* Temp Uploader */ # vars $mx=rand(); $advid=$_REQUEST["advid"]; $hash=md5(rand); # create our temp dir mkdir("./uploads/tempads/".$advid."/".$mx."/".$hash."/", 0777, true); # upload dir $uploaddir = './uploads/tempads/'.$advid.'/'.$mx.'/'.$hash.'/'; $file = $uploaddir . basename($_FILES['file']['name']); // I was thinking of a large IF STATEMENT HERE .. # upload the file if (move_uploaded_file($_FILES['file']['tmp_name'], $file)) { $result = 1; } else { $result = 0; } sleep(10); echo $result; ?>
-
Surreal Dreams about 12 yearsBeat me to it - this method makes sure the file is an image, not just named like an image.
-
Marc B about 12 yearsYou're assuming the remote user is not malicious and won't just rename
nastyvirus.exe
tocutekittens.jpg
. -
Mr Griever about 12 yearsThe only caveat is that GD is not oob for PHP and can be finicky. finfo_file is standard in PHP after version 5.3.0 and will do a content-based check as well.
-
TheBlackBenzKid about 12 yearsHow can I check the file resolution too? IE Size if width and height??
-
Marc B about 12 yearsA gif is a gif. They all share the same magic numbers at the start of the file.
-
Jessica over 8 yearsAt the last
if-statement
, shouldn't it be||
instead of&&
? -
Marc B over 8 years@Jessica: no. then ANY image type would pass. it's a
!=
comparison. -
Tilak Madichetti about 7 years
Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead.
- Docs -
Derek Brown over 6 yearsYour post was flagged as low quality because it was all code. Try explaining what you did.
-
cottton about 6 years"Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead." See php.net/manual/en/function.getimagesize.php
-
schlimmchen over 4 yearsThe manual says that the file stuffed into
getimagesize
must be a valid image. To check for the content type of a file, usemime_content_type
instead, see php.net/manual/en/function.mime-content-type.php -
SteppingHat about 4 yearsThis is BAD and opens up your site to potential remote code execution. Anyone can put exactuable code inside the image header (where the metadata is stored and text is considered valid) and
getimagesize
will still think it is an image, thus accepting the file and potentially allowing PHP code to be executed server side. Use mime_content_type instead.