0

I am trying to make a script to save image link in database like example.com/image.jpg every thing is working fine I just want that if someone enter wrong url like without extension .jpg , .png or .gif it give error to user so they enter correct url

Here is my Php Code

if(isset($_POST['img']));
  $img = $_POST['img'];
  $ti = $_POST['titl'];

  $query = mysqli_query($con,"SELECT * FROM image WHERE url='$img'")

   or die(mysqli_error($con));  
      if(mysqli_num_rows($query) > 0 ) { //check if there is already an entry for that word
        echo "Image already exists! ";
      }
      else {
        mysqli_query($con,"INSERT INTO image (Title, url,) VALUES ('$ti','$img')");
    echo "Image Successfully Added";
 }

And here is html 

<form  action="" method="POST" >
  <span>Title:</span>
  <input  type="text" name="titl" maxlength="100" /><br>
  <span>Image URL:</span> 
  <input  type="text" name="img" maxlength="300" />
  <input type="submit" value="Add Image!" id="subm" class="button" />
</form>
Jatin
  • 3,065
  • 6
  • 28
  • 42
user3478845
  • 17
  • 4

2 Answers2

0
$accept = ['.jpg', '.gif', '.png']; // the file extensions you will accept

if (in_array(substr($img, -4), $accept)) // check last 4 chars in $accept
{
    echo "This works";
    // update mysql table
} // if
else
{
    echo "This fails";
} // else

This is just a way to check the file name, not the content of the file. As mentioned by @Fred-ii : The image must still be sanitized for malicious code. One preliminary measure would be to rename the file to something random, and store the random ID in the database. You might also use GD or ImageMagick to copy the file across, 1:1, which would compress the file and remove any malicious code. You can also serve the image from another domain if you have one, to protect your main site and its data.

graemeboy
  • 590
  • 4
  • 11
  • 1
    This is not the best solution. Any hacker can pass off a `.jpg` etc. and then inject a renaming function to run as PHP. – Funk Forty Niner Apr 02 '14 at 21:18
  • @graemeboy yeah it's working fine but notepad++ shows red line on &accept = line – user3478845 Apr 02 '14 at 21:24
  • @Fred-ii- Good call; would need to sanitize input. This could still be a preliminary step for making a workable UI; usually done on the front-end to help the user. – graemeboy Apr 02 '14 at 21:26
0

Do you know the PHP explode function? http://www.php.net/manual/pt_BR/function.explode.php

You can explode your file name using the dot '.' as delimiter and check what is after it. If you're using JavaScript, it may be a bit more efficient to make it in the client side.

gcolucci
  • 438
  • 1
  • 5
  • 21
  • No I'm not using JavaScript – user3478845 Apr 02 '14 at 21:23
  • So you can do it in the PHP side, as we suggested. Just be sure if you use @graemeboy's code that you consider the extension `.jpeg`, that would require a substring bigger than 4 letters, and also pay attention to the security breaches. Also, fix the line with the `if (isset($_POST['img']));` that is only working because you didn't have any image that is not set. – gcolucci Apr 03 '14 at 21:50