0

Please I need assistance, this script is displaying "unsupported file" when an image is uploaded.
I can't figure out the possible error.

I created a modal form on which the file upload is running, when a user clicks on "mark as paid", a modal form comes up where an image is attached.
Clicking on submit, it brings out unsupported file error...

HTML 

echo '<center class="fa-boardx">
        <div class="x fa-boardx"><div class="container">';
echo '<div id="heading-breadcrumbs" style="width:94%;">
        <div class="panel panel-primary">
          <div class="panel-heading">
            <h3 class="panel-title"><strong>AWAITING PAYMENT</h3>
          </div>
          <br>
          <h1>AMOUNT: <span><b> ₦ '.$emoney.'</b><span></h1>';

if($set['autopurge'] > 0){
  echo '<code>YOUR ACCOUNT WILL BLOCKED IN
    <h2>(<font color="red"> '.ceil(($mergto['xtime'] - time())/60 * 24).'</font>)<br/>';
  include '../count.php';
  echo '</code><br/>PAY BEFORE THIS TIME TO ENJOY DONATIONS</h2>';
}
 echo '<b class="green"><h4>Pay To Name: <span>'.htmlspecialchars($umprof['firstname']).' '.$umprof['lastname'].' </span><br/> <br>
  Phone Number: <span>'.htmlspecialchars($umprof['phone']).'</span><br/><br>

  Bank Name: <span>'.htmlspecialchars($umprof['bankname']).'</span><br/><br>

  Account Name: <span>'.htmlspecialchars($umprof['accname']).'</span><br/><br>
  Account Number: <span>'.htmlspecialchars($umprof['accno']).'</span></h4></b><br>';

if($mergto['status'] < 1){
  echo '<form action="uploader.php" method="POST" enctype="multipart/form-data" >
    <input type="hidden" name="sendi" value="'.$mergto['sender'].'"/>
    <input type="hidden" name="rendi" value="'.$mergto['reciever'].'"/>
    </div>
    </div>
    <button class="button button-xlarge button-rounded" data-toggle="modal" data-target=".modal-payment">MARK AS PAID
    </button>
    <!-- MODAL   -->
    <div class="modal fade modal-payment" tabindex="-1" role="dialog" aria-labelledby="myLargeModalLabel" aria-hidden="true">
      <div class="modal-dialog modal-lg">
        <div class="modal-body">
          <div class="modal-content">
            <div class="modal-header">
              <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
              <h4 class="modal-title" id="myModalLabel">I SEND THE MONEY</h4>
            </div>
            <div class="modal-body">

              <form action="uploader.php" method="POST" enctype="multipart/form-data">
                <input type="hidden" name="sender" value="'.htmlspecialchars($muprof['username']).'"/>
                <input type="hidden" name="iid" value="12112">
                <input type="hidden" name="paid" value="12112">
                <div class="row">
                  <div class="col-md-12">
                    <label>Payment Type:</label>
                    <input name="ptyp" class="form-control input-lg" type="text" required="">
                  </div>
                </div>
                <br>
                <div class="row">
                  <div class="col-md-12">
                    <label>Name On Pay Slip:</label>
                    <input name="mName" class="form-control input-lg" type="text" required="">
                  </div>
                </div>
                <br>

                <div class="row">
                  <div class="col-md-12 bottommargin">
                    <label>PAYMENT IMAGE:</label><br>
                    <input  type="file" id="input-8" name="mFile" class="file-loading"  accept="image/gif, image/jpeg"/>

                  </div>
                </div>

                <div class="row">
                  <div class="col-md-12">
                    <button type="submit" class="btn btn-lg btn-block btn-success"  id="sendmail"> SUBMIT </button>
                  </div>
                </div>

              </form>

            </div>
          </div>
        </div>
      </div>
    </div>';

Uploader.php
The uploader.php is put separately 

<?php
include ('../inc/config.php');
$UploadDirectory  = 'uploads/'; //Upload Directory, ends with slash & make sure folder exist
$SuccessRedirect  = 'main.php'; //Redirect to a URL after success

if (!@file_exists($UploadDirectory)) {
  //destination folder does not exist
  die("Make sure Upload directory exist!");
}

if($_POST)
{
    if(!isset($_POST['mName']) || strlen($_POST['mName'])<1)
  {
    //required variables are empty
    die("Title is empty!");
  }


  if($_FILES['mFile']['error'])
  {
    //File upload error encountered
    die(upload_errors($_FILES['mFile']['error']));
  }

  $FileName         = strtolower($_FILES['mFile']['name']); //uploaded file name
  $FileTitle        = mysql_real_escape_string($_POST['mName']); // file title
  $ImageExt         = substr($FileName, strrpos($FileName, '.')); //file extension
  $FileType         = $_FILES['mFile']['type']; //file type
  $FileSize         = $_FILES['mFile']["size"]; //file size
  $RandNumber       = rand(0, 9999999999); //Random number to make each filename unique.
  $uploaded_date    = date("Y-m-d H:i:s");
  $username         = mysql_real_escape_string($_POST['sender']);
  $status           = "Confirmed";

  print_r($FileName);
  switch(strtolower($FileType))
  {
    //allowed file types
    case 'image/png': //png file
    case 'image/gif': //gif file
    case 'image/jpeg': //jpeg file
    case 'application/pdf': //PDF file
    case 'application/msword': //ms word file
    case 'application/vnd.ms-excel': //ms excel file
    case 'application/x-zip-compressed': //zip file
    case 'text/plain': //text file
    case 'text/html': //html file
      break;
    default:
      die('Unsupported File!'); //output error
  }

  //File Title will be used as new File name
  $NewFileName = preg_replace(array('/\s/', '/\.[\.]+/', '/[^\w_\.\-]/'), array('_', '.', ''), strtolower($FileTitle));
  $NewFileName = $NewFileName.'_'.$RandNumber.$ImageExt;
   //Rename and save uploded file to destination folder.
   if(move_uploaded_file($_FILES['mFile']["tmp_name"], $UploadDirectory . $NewFileName ))
   {
    //connect & insert file record in database
        $dbconn = mysql_connect($dbhost, $dbuser, $dbpass)or die("Unable to connect to MySQL");
    mysql_select_db($dbname,$dbconn);

    @mysql_query("INSERT INTO uploads (image, mName, filesize,username,status, uploaded_date) VALUES ('$NewFileName', '$FileTitle','$FileSize','$username','$status','$uploaded_date')");
    mysql_close($dbconn);

    header('Location: '.$SuccessRedirect); //redirect user after success

   }else{
       die('error uploading File!');
   }
}

//function outputs upload error messages, http://www.php.net/manual/en/features.file-upload.errors.php#90522
function upload_errors($err_code) {
  switch ($err_code) {
    case UPLOAD_ERR_INI_SIZE:
        return 'The uploaded file exceeds the upload_max_filesize directive in php.ini';
    case UPLOAD_ERR_FORM_SIZE:
        return 'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form';
    case UPLOAD_ERR_PARTIAL:
        return 'The uploaded file was only partially uploaded';
    case UPLOAD_ERR_NO_FILE:
        return 'No file was uploaded';
    case UPLOAD_ERR_NO_TMP_DIR:
        return 'Missing a temporary folder';
    case UPLOAD_ERR_CANT_WRITE:
        return 'Failed to write file to disk';
    case UPLOAD_ERR_EXTENSION:
        return 'File upload stopped by extension';
    default:
        return 'Unknown upload error';
  }
}
?>
Louys Patrice Bessette
  • 33,375
  • 6
  • 36
  • 64
ojulari
  • 63
  • 11
  • Did you tried using another image? Maybe the one you are testing is corrupted. Also verify of your server can detect mime types. And debug showing what's the content of the $FileType variable. – Simone Cabrino Mar 31 '17 at 20:17
  • What filetype is the image you're trying to upload? – SLWS Mar 31 '17 at 20:19
  • I tried several images, I use .jpg , gif, .png – ojulari Mar 31 '17 at 20:21
  • 3
    have you tried adding the $FileType to the die() message, to see what it is for the files you're uploading? – rickdenhaan Mar 31 '17 at 20:28
  • try to dump your $FileType apparently $_FILES['mFile']['type'] can be messy, and it may contain something like "(length=...)" check that too and here : http://stackoverflow.com/questions/15605030/php-filesfiletype-is-useless – nullqube Mar 31 '17 at 20:36
  • `$FileType = $_FILES['mFile']['type'];` This variable does not contain the file type, rather the information the browser (or user) adds to the post request. In other words, you can't trust it. Also if I spoof the file name as `../script.php%00.png` it will completely bypass your security. – Xorifelse Mar 31 '17 at 22:11
  • Not working still...showing "unsupported file". I have tried all file extensions – ojulari Apr 01 '17 at 05:55
  • I have actually got it right, the modal form wasn't closed properly. Thanks – ojulari Apr 02 '17 at 13:48

0 Answers0