Hi I want users to be able to upload only .gif or .jpg files. My code is bellow: ================================================== if ($HTTP_POST_FILES['productphoto']['type'] == "image/gif" or $HTTP_POST_FILES['productphoto']['type'] == "image/pjpeg" or $HTTP_POST_FILES['productphoto']['type'] == "") { Header ("Location: showproducts.php?catid=$catid&subcatid=$subcatid"); } else { Header ("Location: errorupload.php?type=wrong"); exit; } =================================================== Explanation: This peace of code or $HTTP_POST_FILES['productphoto']['type'] == "") is if user doesnt want to update photo, to not replace the old one ==================================================== Now...my problems are: If users try to upload the picture with Firefox - they are always sent to errorupload.php page. If they try to upload SAME photo with IE - everything is OK Second...This peace of code, works for a few days (IE Only) and then stop to work. If I change "image/pjpeg" with "image/jpeg" start to work again. After few days - doesnt work again?? Can someone help me with this??
First off, stop using $HTTP_POST_FILES, it's deprecated. Use $_FILES instead. Second, do never trust the MIME value in ['type'], because it's defined by the user's browser and can be modified. (That also explains the IE/FF issue, different browsers may send different MIME types, specially when IE is involved.) Check for the extension, it's much safer anyway, because PHP code can be inserted in valid GIF images. Now if someone uploads a file with a fake image MIME type and .php extension, you're pretty much screwed. As for the size, use filesize() on ['tmp_name'] before moving the file.
$valid_extensions = array('gif', 'jpg', 'jpeg', 'png'); if (!in_array(end(explode('.', strtolower($_FILES['productphoto']['name']))), $valid_extensions)) { // Handle error } PHP:
You can additionally add <input type="hidden" name="MAX_FILE_SIZE" value="..."> (where value is the limit in bytes) inside the form itself to restrict the maximum file-size on the HTML level. Checking the extension is as easy as taking the name of the file and putting it in a variable like $name and then running: $name = strtolower($name); $pos = strrpos($name, '.jpg'); if($pos < 1) $pos = strrpos($name, '.gif'); if($pos == strlen($name) - 4): // extension is ok code else: // extension is NOT ok code endif; But remember that the extension is not the best way to test the contents of the file. You can also run getimagesize() on the file after it's uploaded and unlink() it and return an apropriate message if valid image info isn't returned.
Thanks for your help guys. I appreciate your help very much. However, I have one problem here. If the user delete existing photo, and dont want to upload another one, he is always sent to error page. To prevent this, I make the following change ================================ your code: $valid_extensions = array('gif', 'jpg', 'jpeg', 'png'); changed code: $valid_extensions = array('gif', 'jpg', 'jpeg', 'png' , ''); Will I have any security issues if I implement this solution?? Again thanks for your replies.
Checking ONLY extension will allow people to rename file to .jpg or whatever is allowed in your script and pass your checks. Use getimagesize(filename) to get the real file type.