image - PHP: File Validation randomly works -
i have file-type validation checks image extensions.
however, when try upload files such .exe or .mp3 , other allowed extension :
$allowed_ext = array('jpg', 'jpeg', 'png', 'gif'); it randomly works, mean, echoes out error , errors not being echo-ed.
this line checks extension.... thingy
if (in_array($image_ext, $allowed_ext) === false){ $errors[] = '<font color="red">*file type not allowed.</font>'; } full code:
if (isset($_files['image'], $_post['album_id'])){ $image_name = $_files['image']['name']; $image_size = $_files['image']['size']; $image_temp = $_files['image']['tmp_name']; $allowed_ext = array('jpg', 'jpeg', 'png', 'gif'); //seperate thingies $tmp = explode('.', $image_name); $image_ext = strtolower(end($tmp)); $album_id = $_post['album_id']; //error array $errors = array(); if (empty($image_name)){ $errors[] = '<font color="red">*please choose photo.</font>'; } if (empty($album_id)){ $errors[] = '<font color="red">invalid album.</font>'; } else { // not allowed extension? if (!$allowed_ext){ $errors[] = '<font color="red">*the file type not supported</font>'; } if (in_array($image_ext, $allowed_ext) === false){ $errors[] = '<font color="red">*file type not allowed.</font>'; } // 5 mb file if ($image_size > 5242880 ){ $errors[] = '<font color="red">*maximum file size 2mb.</font>'; } if (album_check($album_id) === false){ $errors[] = '<font color="red">*couldn\'t upload album.</font>'; } // puting in here prevent undefined index error. $caption = $_post['caption']; if (empty($caption)){ $errors[] = '<font color="red">*caption cannot empty</font>'; } } // check if error, if error, echo errors if (!empty($errors)){ foreach ($errors $error){ echo $error, '<br />'; } } else { // upload image if no error upload_image($image_temp, $image_ext, $album_id); header('location: view_album.php?album_id='.$album_id); exit(); }
just checking extention might not secure depending on setup. upload php file jpg extention , if server isnt setup properly, execute it. guess better check filetype after uploading.
<?php $allowed_types=array( 'image/gif', 'image/jpeg', 'image/png', ); if (isset($_files['image']) { //as type in $_files isnt checked php, use this. $finfo = new finfo(fileinfo_mime); $type = $finfo->file($_files['image']['tmp_name']); $mime = substr($type, 0, strpos($type, ';')); if (in_array($mime, $allowed_types) { //allowed } } ?> but use same approach extention.
<?php $allowed_ext=array( 'gif', 'jpg', 'jpeg', 'png', ); if (isset($_files['image']) { $t = explode('.',basename($_files['image']['name'])); $ext = str_to_lower(array_pop($t)); if (in_array($ext, $allowed_ext) { //allowed } } ?>
Comments
Post a Comment