PHP Upload limit image type to JPG and Gif

mkoenig · April 18, 2008, 7:15pm

PHP Upload limit image type to JPG and Gif?

Im trying to upload only gif and jpg filetypes.

I can do it by getting the extension from the php susbtr function, but i would like to do it the correct way?

Here is the code and it works for either gif or jpeg but i can seem to get the syntax correct for both i tried

if ($uploaded_type != (“image/jpeg”) | (“image/gif”){ along with a few other combos. Whats the correct way to do this?

Here is the current bit of code…

if ($uploaded_type != (“image/jpeg”){
echo “This type of picture is no allowed. Please upload and try again!<br>”;
$ok=0;
}

Thanks Sitepoint!

WLHosting · April 18, 2008, 7:28pm

Well, first thing I would suggest is going to: http://us2.php.net/manual/en/features.file-upload.php and taking a look at file uploads.

If you want to only allow a few types of images, lets say: gif and jpg. You can create an array like:

$types = array('image/jpeg', 'image/gif');

Of course you can add more file types to your array as needed. Which can be found by doing a print_r on the $_FILES variable and taking the value from type.

Then when you upload your file to make sure that it is a correct file type you can do:

if (in_array($_FILES['inputname']['type'], $types)) {
// Your file handing script here
} else {
// Error, filetype not supported
}

Hope this helps a little

mkoenig · April 18, 2008, 7:54pm

Thats perfect im trying that now!

Big thanks for your help.

mkoenig · April 18, 2008, 8:10pm

Here is the image upload script modified . It requires an html form page with this code…

<form enctype="multipart/form-data" action="upload.php" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form>

then a php page called upload.php that the form above posts to.

the code was adapted from an about article.

<?php
$target = "images/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;

//This is our size condition
if ($uploaded_size > 2097152){
echo "Your file is too large. We have a 2MB limit.<br>";
$ok=0;
}

$types = array('image/jpeg', 'image/gif', 'image/png');

if (in_array($_FILES['uploaded']['type'], $types)) {
// file is okay continue
} else {
$ok=0;
} 

//Here we check that $ok was not set to 0 by an error
if ($ok==0){
Echo "Sorry your file was not uploaded. It may be the wrong filetype. We only allow JPG, GIF, and PNG filetypes.";
}

//If everything is ok we try to upload it
else{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)){
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";
}
else{
echo "Sorry, there was a problem uploading your file.";
}
}
?>

It also requires a folder called images with write permissions.

logic_earth · April 18, 2008, 8:48pm

No no no no! Do not rely on $_FILES[‘type’]!

http://us3.php.net/manual/en/function.getimagesize.php
http://us3.php.net/manual/en/function.image-type-to-extension.php

Also allow PNGs too!

logic_earth · April 18, 2008, 9:51pm


<?php

$target = dirname( __FILE__ ) . '/images/';
$ok = true;

$file = $_FILES['uploaded'];

if ( $file['error'] > 0 ) {
    
    // We have an error...
    $ok = false;

}

if ( 2097152 < filesize( $file['tmp_name'] ) ) {

    // File to big.
    $ok = false;
}

$type = getimagesize( $file['tmp_name'] );
if ( $type === false || !in_array( $type[2], array( IMAGETYPE_GIF, IMAGETYPE_JPEG, IMAGETYPE_PNG ) ) ) {

    // File not correct type.
    $ok = false;

} else {

    $ext = image_type_to_extension( $type[2] );
    if ( !preg_match( '/' . preg_quote( $ext ) . '$/i', $file['name'] ) ) {
        $file['name'] .= $ext;
    }

    $target .= $file['name'];

}

if ( $ok ) {

    if ( move_uploaded_file( $file['tmp_name'], $target ) ) {

        // File is uploaded!
    
    } else {

        // Error...
    
    }

} else {

    // Error...
    
}

mkoenig · April 21, 2008, 6:22pm

OMG… there is an image_type_to_extension

ill use that code then.

Thanks for the code update

mkoenig · April 21, 2008, 6:26pm

I seem to not have php 5 on my server. Lunarpages?

call to undefined function.

mkoenig · April 21, 2008, 6:31pm

Yeah… current version PHP Version 4.4.4

what are they thinkin… lol

I tried it on a hostmonster account with php version 5+ and it worked just fine

logic_earth · April 21, 2008, 6:53pm

Drop in replacement for image_type_to_extension should work in PHP 4


if ( !function_exists('image_type_to_extension') ) {

    function image_type_to_extension ( $type, $dot = true )
    {
        $e = array ( 1 => 'gif', 'jpeg', 'png', 'swf', 'psd', 'bmp' 
            'tiff', 'tiff', 'jpc', 'jp2', 'jpf', 'jb2', 'swc',
            'aiff', 'wbmp', 'xbm' );

        // We are expecting an integer.
        $type = (int)$type;
        if ( !$type ) {
            trigger_error( '...come up with an error here...', E_USER_NOTICE );
            return null;
        }

        if ( !isset( $e[ $type ] ) ) {
            trigger_error( '...come up with an error here...' E_USER_NOTICE );
            return null;
        }

        return ( $dot ? '.' : '' ) . $e[ $type ];
    }
    
}

Hammer65 · April 21, 2008, 7:51pm

If you are just doing images, logic_earth’s code should work fine. You will have to write your code all over again on the occasion that you need to handle other file types.

It’s correct that you should never rely on information in the $_FILES array for security. If we had no ethics here, most of the experienced members of this board could easily show you how to use cURL or socket functions to spoof that information, and get an executable PHP file onto a server that only checks $_FILES for type information. Suffice it to say, you don’t want to know how easy it is.

mkoenig · April 22, 2008, 6:38pm

I wrote an upload script for php-nuke last version was uploadit 3 google still has it as the #1 result

the previous version did allow hackers to upload files like…

hacktool.php.jpg

I made sure the script renamed the file to something like 12312312.jpg

Could cURL get past that?

Hammer65 · April 22, 2008, 7:23pm

Look at it this way. The web server is the gateway to your web site. The web server decides what to do with a file based on the file extension. If the file extension is JPG, it isn’t going to matter if it has PHP code in it or not. It’s not going to get executed as such.

The danger is in a file that might be called, hacktool.gif.php where your script only looks for the presence of the strings “jpg”, “gif” or “png”, instead of ensuring that that string is the “true” file extension.

As long as you don’t rely on the type information contained in the $_FILES array to ensure security, someone using cURL won’t be able to affect your script in that manner. If you detect an attempt to subvert your system, leave the file in the temp directory to die, or better yet delete it. Don’t leave it on your system to be exploited in some other way.

mkoenig · April 22, 2008, 7:36pm

Sounds good. I’ve been using php for about 5 years, but am still a novice.

I once heard of a book called learn to program in 10 years, a title that was
supposed to fly in the face of the normal 30-60day programs.

Good things take time, I may need to break out the books again.

Thanks Hammer65