PHP image upload - only allow jpegs under a certain size?

I have managed to get this far:

$file_name = $_FILES['uid']['name'];
$user= 'FILENAME';
$ext = pathinfo($file_name, PATHINFO_EXTENSION);
$new_file_name=$user . '.' . $ext;
$path= "uploads/images/users/".$new_file_name;
if($uid !=none)
{
if(move_uploaded_file($_FILES['uid']['tmp_name'], $path))
{
echo "Successful<BR/>";
echo "File Name :".$new_file_name."<BR/>";
echo "File Size :".$_FILES['uid']['size']."<BR/>";
echo "File Type :".$_FILES['uid']['type']."<BR/>";
}
else
{
echo "Error";
}
}

This works nicely and renames my uploaded file but im struggling to make it accept only jpegs under a certain size. Everything I have tried has resulted in me getting an error message that i can only upload a jpeg (yet the file still gets uploaded) or nothing gets uploaded at all even if it is a jpeg. Any help is most appreciated. thank you.

Like this;


if (($_FILES["uid"]["type"] == "image/jpeg")
&& ($_FILES["uid"]["size"] < 20000)) // here maximum size of image is 20 kb

Thanks so much for your swift reply - Where should this if statement be placed?


$file_name = $_FILES['uid']['name'];
$user= 'FILENAME';
$ext = pathinfo($file_name, PATHINFO_EXTENSION);
$new_file_name=$user . '.' . $ext;
$path= "uploads/images/users/".$new_file_name;

if(($_FILES["uid"]["type"] == "image/jpeg") and ($_FILES["uid"]["size"] < 20000))
{
if(move_uploaded_file($_FILES['uid']['tmp_name'], $path))
{
echo "Successful<BR/>";
echo "File Name :".$new_file_name."<BR/>";
echo "File Size :".$_FILES['uid']['size']."<BR/>";
echo "File Type :".$_FILES['uid']['type']."<BR/>";
}
else
echo "Error while uploading!";
}
else
echo "File format or size is not supported!";

hmm this gives me the error message “File format or size is not supported!”
even when it is a jpeg and within the size restrictions - nothing gets uploaded (jpeg or any other format)??
Thanks for your help so far.

change condition;
some files as extension jpg and jpeg.
if ((($_FILES[“upload”][“type”] == “image/jpeg”)
|| ($_FILES[“upload”][“type”] == “image/jpg”))
&& ($_FILES[“upload”][“size”] < 20000))

Still doing the same unfortunately…i did notice you had put “upload” instead of “uid” so i changed that and tried again and once again its just the same error?
Sorry to be a pain!

if your using IE as a browser you may need to accept

MIME “image/pjpeg”

too

so i would change to:
if ((($_FILES[“upload”][“type”] == “image/jpeg”)
|| ($_FILES[“upload”][“type”] == MIME “image/pjpeg”)
|| ($_FILES[“upload”][“type”] == “image/jpg”))
&& ($_FILES[“upload”][“size”] < 20000))

correct??

like this;
if ((($_FILES[“upload”][“type”] == “image/jpeg”)
|| ($_FILES[“upload”][“type”] == “image/pjpeg”)
|| ($_FILES[“upload”][“type”] == “image/jpg”))
&& ($_FILES[“upload”][“size”] < 20000))

Guys…seriously. STOP USING “type” it is insecure.



$upload = $_FILES['upload-field-name'];

// Is it a JPEG image?
$info = getimagesize( $upload['tmp_name'] );
if ( $info[2] != IMAGETYPE_JPEG ) {
  // Not correct image type...
  exit;
}

// Is it smaller then 10 MB?
if ( filesize( $upload[ 'tmp_name' ] ) > 10485760 ) {
  // Not correct file size...
  exit;
}

@ Venkat / Mandes - still the same problem
@logic earth - I tried the following (could have got it very wrong:

$file_name = $_FILES['uid']['name'];
$user= 'FILENAME';
$ext = pathinfo($file_name, PATHINFO_EXTENSION);
$new_file_name=$user . '.' . $ext;
$path= "uploads/images/users/".$new_file_name;
$upload = $_FILES['uid']
$info = getimagesize( $upload['tmp_name'] );
if ( $info[2] != IMAGETYPE_JPEG ) {
echo "File format is not supported!";
}
if ( filesize( $upload[ 'tmp_name' ] ) > 3485760 )
{
echo "The filesize is too large!";
}
else(move_uploaded_file($_FILES['uid']['tmp_name'], $path))
{
echo "Successful<BR/>";
echo "File Name :".$new_file_name."<BR/>";
echo "File Size :".$_FILES['uid']['size']."<BR/>";
echo "File Type :".$_FILES['uid']['type']."<BR/>";
} 

This results in unexpected T_VARIABLE…

the error should also be telling you what line is ‘offending’

Line 8 starting $info = getimagesize

$ext = pathinfo($file_name, PATHINFO_EXTENSION);

If you don’t fix that line, every other check proposed in this thread can still be maliciously bypassed.