-1

I have a website where users can upload images. And i have restricted file extensions for PNG, JPG, JPEG .

problem :

I have a zip file stored on my local computer folder. Zip file name = "lara.zip"

Later i changed this zip file name to "Lara.jpg"

and then i uploaded this zip with the extension of jpg to my website through this uploading script. The script successfully submitted my and it uploaded this file to my website.

Solution : ???????????????????????

Question : How can i prevent from users to upload extensions changed unwanted files ? How can i find the file they uploads are exactly an image ???

Thanks .

Now i have edited the question, But codes doesn't check for this error weather if its an confirmed extension or not.

 if (isset($_FILES["image_upload"]["name"])) {

        $name = $_FILES["image_upload"]["name"];
        $size = $_FILES["image_upload"]["size"];

        $ext = end(explode(".", $name));
        $allowed_ext = array("png", "jpg", "jpeg", "PNG", "JPG", "JPEG");
        $checkexactlyimage = getimagesize($name);

        $allowedTypes = array(IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
        $detectedType = exif_imagetype($_FILES['image_upload']['tmp_name']);
        $detectedTypeerror = !in_array($detectedType, $allowedTypes);

        if ($detectedTypeerror !== false) {
            echo "Only JPG,PNG and JEPG files are allowed";
        } else if ($check !== false) {
            echo "Only JPG,PNG and JEPG files are allowed";
        } else if (in_array($ext, $allowed_ext)) {
            if ($size < (5000000)) {
                $new_image = '';
                $new_name = md5(rand()) . '.' . $ext;
                $path = '../folder/' . $new_name;
                list($width, $height) = getimagesize($_FILES["image_upload"]["tmp_name"]);
                if ($ext == 'png') {
                    $new_image = imagecreatefrompng($_FILES["image_upload"]["tmp_name"]);
                }

                if ($ext == 'jpg' || $ext == 'JPG' || $ext == 'JPEG' || $ext == 'jpeg') {
                    $new_image = imagecreatefromjpeg($_FILES["image_upload"]["tmp_name"]);
                }

                $new_width = 730;
                $new_height = ($height / $width) * 400;
                $tmp_image = imagecreatetruecolor($new_width, $new_height);
                imagecopyresampled($tmp_image, $new_image, 0, 0, 0, 0, $new_width, $new_height, $width, $height);

                imagejpeg($tmp_image, $path, 100);
                imagedestroy($new_image);
                imagedestroy($tmp_image);

                // third get your image
                $image3 = $path;
                $picture3 = base64_encode(file_get_contents($image3));
                $adimageno = 'data:image/gif;base64,' . $picture3 . '"';

                echo '<img src="' . $adimageno . '"  width="300" class="_setup-width-345"/>';

                $ifexistalready = "query";
                $ifexistalreadyqry = mysql_query($ifexistalready);
                $existornot = mysql_fetch_assoc($ifexistalreadyqry);
                $getidofstore = $existornot['ID'];
                $getcvrimage = $existornot['Simage'];

                $updatetable = "query";
                $updatetableqry = mysql_query($updatetable);
                if ($updatetableqry) {
                    unlink('../store-image/' . $getcvrimage);
                } else {
                    echo "Error on uploading image";
                }

            } else {
                echo 'Image File size must be less than 5 MB';
            }
        } else {
            echo 'Only JPG,PNG and JEPG files are allowed';
        }
    } else {
        echo 'Please select a image file';
    }
Filchev
  • 224
  • 1
  • 12
alex
  • 35
  • 8
  • @Jecoms This is not a duplicate of the question above. Look at my codes carefully and you'll see i have written code for a extension type checks above. – alex Oct 18 '16 at 04:05
  • Check out the [accepted answer](http://stackoverflow.com/a/6755263/5793033). It suggests using [exif_imagetype](http://php.net/manual/en/function.exif-imagetype.php) to actually verify the file is an image. – Jecoms Oct 18 '16 at 04:08
  • @alex your question is not a duplicate but it does answer your question though. – Kervon Ryan Oct 18 '16 at 04:09
  • Can someone help me on adding that codes to my existing scripts above. Moch appreciate everyone – alex Oct 18 '16 at 04:14
  • It's not a duplicate of your title, but it's a duplicate of the question you ask in the end. – Jecoms Oct 18 '16 at 04:14
  • Can someone help me on adding that codes to my existing scripts above ? – alex Oct 18 '16 at 04:18
  • I have edited the codes below on my post with the answer you provides above,But it doesnt still work. can someone help me please ? – alex Oct 18 '16 at 04:22
  • Explain `But codes dowsnt working`, doesn't validate, doesn't process, throws an error (if so what error), etc. – chris85 Oct 18 '16 at 04:31
  • yes i just edited the question again. It doesn't validate the type of the file. – alex Oct 18 '16 at 04:37
  • @chris85 Can you please check the question again. – alex Oct 18 '16 at 04:38
  • Why do you have two similar blocks of code in your question? If the second supercedes the first then please remove the first. – nnnnnn Oct 18 '16 at 04:39
  • I edited the questiopn @nnnnnn . – alex Oct 18 '16 at 04:41
  • 1
    `$valid = getimagesize($_FILES['image_upload']['tmp_name'])?true:false;` – Vinay Oct 18 '16 at 05:22
  • @Novice how can i use this ??? can you please write the answer to this ?? – alex Oct 18 '16 at 05:24
  • Please someone help me – alex Oct 18 '16 at 05:33
  • @alex Please man coding standards.. http://www.php-fig.org/psr/psr-2/ you`ll thank me in future, also novice gave you the correct answer – Filchev Oct 18 '16 at 06:51
  • @alex *"how can i use this ??? can you please write the answer to this ??"* -- You just got your answer above, you just have to read it. It's literally copy-paste ready, I'm not sure what else can be answered here. – John Weisz Oct 18 '16 at 06:55
  • Thanks i found the answer below – alex Oct 18 '16 at 08:43

1 Answers1

0

Refactored the messed up block for you

$checkexactlyimage = getimagesize($_FILES['image_upload']['tmp_name']);   
$allowedTypes = array(IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
$detectedType = exif_imagetype($_FILES['image_upload']['tmp_name']);
$detectedTypeerror = !in_array($detectedType, $allowedTypes);

if($detectedTypeerror !== false) {
  echo "Only JPG,PNG and JEPG files are allowed";   
}else if( $checkexactlyimage === false)  {
  echo "Only JPG,PNG and JEPG files are allowed";   
}
Vinay
  • 7,442
  • 6
  • 25
  • 48