Shouldn’t it have some code to check that the server isn’t receiving a malicious file? Or is that a concern regarding uploading photos from smartphones?
I found this code to validate the file:
<?php
if (preg_match('/^image\\/p?jpeg$/i', $_FILES['upload']['type'])
or preg_match('/^image\\/gif$/i', $_FILES['upload']['type'])
or preg_match('/^image\\/(x-)?png$/i', $_FILES['upload']['type'])
{
...
} else {
$error = 'Please submit a JPEG, GIF, or PNG image file.';
include $_SERVER['DOCUMENT_ROOT'] ;
exit();
}
?>
… but I don’t know how to integrate the two codes.
It doesn’t matter if somebody is using a smartphone, a desktop or a watch to call something (could be a web service, a web page, whatever) through HTTP (and even HTTPS). It’s not difficult to sniff HTTP traffic coming from something you own. So, you’re uploading a picture from a smartphone to a web service? It’s easy to find the “URL” of the Web service and write a small app on a desktop that uploads anything to that web service.
So yes, you should validate that it’s really an image. But the code you pasted seems a little simple compared to the example I found. Here’s what I looked for in Google: “secure image upload php”
Personally, I never had to validate images uploaded on the Internet (only “closed” applications, so the security was less of an issue)
So, I think you have a little bit of reading to do
(Or if you’re lucky, somebody else in the forum already did that and he will give you his advice)
which includes the following to validate that the file contains an image
// verify the file is a GIF, JPEG, or PNG
$fileType = exif_imagetype($_FILES["myFile"]["tmp_name"]);
$allowed = array(IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG);
if (!in_array($fileType, $allowed)) {
// file type is not permitted
...
One possible way (though I’ve never tested it) would be to use the GD library to create an image from either a gif, jpeg or png file, using the appropriate function, if the function reports a failure, assume the file to be dodgy and delete it