Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Check picture file type and size before file upload in php

Tags:

php

I have the following code:

$filecheck = basename($_FILES['imagefile']['name']);
  $ext = substr($filecheck, strrpos($filecheck, '.') + 1);
  if (($ext == "jpg" || $ext == "gif" || $ext == "png") && ($_FILES["imagefile"]["type"] == "image/jpeg" || $_FILES["imagefile"]["type"] == "image/gif" || $_FILES["imagefile"]["type"] == "image/png") && 
    ($_FILES["imagefile"]["size"] < 2120000)){
} else {
echo "F2";
die();
}

What i need to do is check if the uploaded file is a jpg/gif/png and that its less than 2 megs in size.

If its larger than 2 megs, or not the right file type, i need to return/echo F2 (error code for api).

When i use the code above to process a 70k jpg file, it returns F2.

SUBNOTE the picture im uploading has an extension of .JPG. Could case be a factor? If so, how do i accommodate for that?

like image 560
mrpatg Avatar asked Aug 08 '09 21:08

mrpatg


People also ask

How can check upload file size in PHP?

The filesize() function in PHP is an inbuilt function which is used to return the size of a specified file. The filesize() function accepts the filename as a parameter and returns the size of a file in bytes on success and False on failure.

How can I limit my photo upload size in PHP?

By default, the maximum upload file size for PHP scripts is set to 128 megabytes. However, you may want to change these limits. For example, you can set a lower limit to prevent users from uploading large files to your site. To do this, change the upload_max_filesize and post_max_size directives.

How check file is image or not in PHP?

exif_imagetype() reads the first bytes of an image and checks its signature. exif_imagetype() can be used to avoid calls to other exif functions with unsupported file types or in conjunction with $_SERVER['HTTP_ACCEPT'] to check whether or not the viewer is able to see a specific image in the browser.

How can I view uploaded image in PHP?

$_FILES["file"]["name"]. "<br>"; $image=$_FILES["file"]["name"]; /* Displaying Image*/ $img="upload/". $image; echo '<img src= "upload/". $img>'; } } } else { echo "Invalid file"; } ?>


2 Answers

Note that you might not want to rely on file extensions to determine file type. It would be rather easy for someone to upload an executable file with a .png extension for example. A mime-type can also easily be forged by a malicious client to pass as an image. Relying on that information is a security risk.

PHP Documentation:
The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.

Try loading the images with gd (getimagesize()) to make sure they are actually valid images (and not just random files pretended with the header of an image file... finfo_file relies on those headers).

if($_FILES["imagefile"]["size"] >= 2120000) {
  echo "F2";
  die();
} else {
    $imageData = @getimagesize($_FILES["imagefile"]["tmp_name"]);

    if($imageData === FALSE || !($imageData[2] == IMAGETYPE_GIF || $imageData[2] == IMAGETYPE_JPEG || $imageData[2] == IMAGETYPE_PNG)) {
      echo "F2";
      die();
    }
}

If you really must use the extension to verify if the file is an image, use strtolower() to put the extension into lowercase.

$filecheck = basename($_FILES['imagefile']['name']);
$ext = strtolower(substr($filecheck, strrpos($filecheck, '.') + 1));

if (!(($ext == "jpg" || $ext == "gif" || $ext == "png") && ($_FILES["imagefile"]["type"] == "image/jpeg" || $_FILES["imagefile"]["type"] == "image/gif" || $_FILES["imagefile"]["type"] == "image/png") && 
    ($_FILES["imagefile"]["size"] < 2120000))){
    echo "F2";
    die();
}
like image 64
Andrew Moore Avatar answered Oct 15 '22 20:10

Andrew Moore


SUBNOTE the picture im uploading has an extension of .JPG. Could case be a factor? If so, how do i accommodate for that?

Yes, that is the problem. You should be add strtolower() to this line:

$ext = substr($filecheck, strrpos($filecheck, '.') + 1);

like:

$ext = strtolower(substr($filecheck, strrpos($filecheck, '.') + 1));

That will fix your currently issue. But technically, you shouldn't worry about file extensions, you should really only need to check the MIME type

like image 42
Mark Avatar answered Oct 15 '22 18:10

Mark