PHP, HTML check if file is an image

Question

I am creating my own website at http://harrisonprograms.com and I have a problem on the profile page.

The problem is I have created a PHP script that will upload an image to the server for example the image directory might be Users/whatevertheusername/imagename.png and then add a string reference to it in MySQL on the users MySQL row. However before the script performs this it checks if the file uploaded is an image file using the substring function, I can't post an image because my reputation isn't high enough so here's the code in text

if(isset($_POST['SUBMITFILE2'])){

$imageName = $_FILES['UPLFILE2']['name'];
$imageData = file_get_contents($_FILES['UPLFILE2']['tmp_name']);
$imageType = $_FILES['UPLFILE2']['type'];

//VALIDATE WHETHER FILE IS AN IMAGE OR NOT
if(substr("$imageName", 0, 5) == 'image'){

The thing I can't understand is it used to work and validate if the file was an image or not but now it has stopped working and I don't know why.

5 lines of code; that's it? Add error reporting to the top of your file(s) right after your opening ` — Funk Forty Niner, Sep 30 '14 at 20:39
your `substr()` is actully using the string "$imageName" not the variable. and even if it did the name of the image is not much help - you say this actully worked once ? — , Sep 30 '14 at 20:42
I'm not sure if I clearly understand your problem, but you check if uploaded file is an image by checking its name? So if I upload file called `imagename.pdf` it also pass your validation? — marian0, Sep 30 '14 at 20:43
It said that the file_get_contents() Filename cannot be empty — Harrison Pickering, Sep 30 '14 at 20:45
WHere you get this $_FILES from? Give the code with the form you use to send this... — bksi, Sep 30 '14 at 21:06
[PHP Uploading files - image only checking](http://stackoverflow.com/questions/9314164/php-uploading-files-image-only-checking) Hope this link will be helpful for you. — liza5757, Jul 19 '16 at 12:18

marian0 · Accepted Answer · 2014-09-30T21:01:47.680

3

So the checking file type by name or extension is not good, because you can easily change it by plain remane function. You can check if uploaded file is an image using e.g. mime type. In php you have function mime_content_type(). Example of usage:

$imageMimeTypes = array(
    'image/png',
    'image/gif',
    'image/jpeg');

$fileMimeType = mime_content_type($_FILES['UPLFILE2']['tmp_name']);

if (in_array($fileMimeType, $imageMimeTypes)) {
    //passed validation 
}

Of course you can define more mime types of images.

edited Sep 30 '14 at 21:01

answered Sep 30 '14 at 20:51

marian0

3,336
3
27
37

Thank you marian this was very helpful It helped determine if the file was an image or not and now I can add more image types if I like, I also have learnt something about uploading files thank you. – Harrison Pickering Sep 30 '14 at 21:38

score 0 · Answer 2 · answered Sep 30 '14 at 20:44

0

you can use exif_imagetype to Determine the type of an image

answered Sep 30 '14 at 20:44

codinglazy

13
4

score 0 · Answer 3 · edited May 23 '17 at 10:28

0

Pretty sure you can find your answer here : php check file extension in upload form

$allowed =  array('gif','png' ,'jpg'); //extension allowed
$filename = $_FILES['video_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
    echo 'error';
}else{
//your extra code...
}

edited May 23 '17 at 10:28

Community

1
1

answered Sep 30 '14 at 20:44

Sebastien B.

476
3
10

Don't see your point, if he only want image format type to be uploaded this will work just fine.. if you take a .txt or a .exe and change the extension to a .png, sure it's will pass but it's will just be a broken png. Now if you can enter on the server change back the extension to .exe then run it, it's another story! – Sebastien B. Sep 30 '14 at 20:50
I will try this in a sec but it says my input file is undefined and I know why. – Harrison Pickering Sep 30 '14 at 20:53

PHP, HTML check if file is an image

3 Answers3