-2

I'm working on this script taken over the network to upload files to a server folder. The script works fine but it only allows jpeg images with a weight less than 2 mb. I modified the code by adding other formats to load, it works, unfortunately no longer takes into account the weight limit (2 mb). Where am I wrong? Thank you (I attach the original and edited script)

Originale script

<?php
require('connect.php');
$name = $_FILES['file']['name'];
$size = $_FILES['file']['size'];
$type = $_FILES['file']['type'];

$tmp_name = $_FILES['file']['tmp_name'];

$extension = substr($name, strpos($name, '.') + 1);

$max_size = 2000000;
if(isset($name) && !empty($name)){
 if(($extension == "jpg" || $extension == "jpeg") && $type == "image/jpeg" && $extension == $size<=$max_size){
  $location = "uploads/";
        
       if(move_uploaded_file($tmp_name, $location.$name)){
   $query = "INSERT INTO `upload` (name, size, type, location) VALUES ('$name', '$size', '$type', '$location$name')";
          $result = mysqli_query($connection, $query);
   
   $smsg = "Caricamento riuscito."; 
  }else{
   $fmsg = "Caricamento fallito";
  }
 }else{
  $fmsg = "Il file deve avere una dimesione inferiore a 2 mb e in formato jpeg";
 }
}else{
 $fmsg = "Seleziona un file";
}

?>
<html>
<head>
 <title>File Upload Script Using PHP MySQL</title>
 
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" >

<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" >

<link rel="stylesheet" href="styles.css" >

<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>

<div class="container">
<?php //echo $name; ?>
<?php //echo $size; ?>
<?php //echo $type; ?>
<?php //echo $tmp_name; ?>
      <form class="form-signin" method="POST" enctype="multipart/form-data">
      <?php if(isset($smsg)){ ?><div class="alert alert-success" role="alert"> <?php echo $smsg; ?> </div><?php } ?>
      <?php if(isset($fmsg)){ ?><div class="alert alert-danger" role="alert"> <?php echo $fmsg; ?> </div><?php } ?>      
        <h2 class="form-signin-heading">Upload File</h2>
   <div class="form-group">
     <label for="exampleInputFile">File input</label>
     <input type="file" name="file" id="exampleInputFile">
     <p class="help-block">Carica file in formato JPEG inferiori a 2 MB</p>
   </div>
        <button class="btn btn-lg btn-primary btn-block" type="submit">carica</button>
      </form>
</div>

</body>

</html>

Codice modificato

if(isset($name) && !empty($name)){
 if(($extension == "jpg" || $extension == "jpeg") && $type == "image/jpeg" || $type == "image/png " || $type == "image/gif" && $extension == $size<=$max_size){
  $location = "uploads/";

I guess I miss the syntax, can anyone help me?

Giorgio Papa
  • 11
  • 4
  • 1
    `$extension == $size<=$max_size` doesn't seem to make any sense. Did you just mean `$size<=$max_size`? Also to avoid any doubt about the boolean logic it would be better to write `&& ($type == "image/jpeg" || $type == "image/png " || $type == "image/gif") &&` (note the additional brackets) – ADyson Sep 13 '17 at 14:48
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Sep 13 '17 at 14:51
  • *weight*? I think you mean file size. – Script47 Sep 13 '17 at 14:53
  • yes, file size. when I add the other formats the form loads them but ignores the size of the files – Giorgio Papa Sep 13 '17 at 14:57
  • @GiorgioPapa see my suggestions above. Does that fix it? – ADyson Sep 13 '17 at 20:19
  • @ADyson not solved: if(($extension == "jpg" || $extension == "jpeg") && ($type == "image/jpeg" || $type == "image/png" || $type == "image/gif" || $type == "application/x-zip-compressed") && $size<=$max_size){ $location = "uploads/"; – Giorgio Papa Sep 15 '17 at 07:54
  • @ADyson, i solved in this metod, thanks for your help: if(($type == "image/jpeg" || $type == "image/png" || $type == "image/gif" || $type == "application/x-zip-compressed") && ($size<=$max_size)){ $location = "uploads/"; – Giorgio Papa Sep 15 '17 at 08:02

2 Answers2

1

<?php
require('connect.php');
$name = $_FILES['file']['name'];
$size = $_FILES['file']['size'];
$type = $_FILES['file']['type'];

$tmp_name = $_FILES['file']['tmp_name'];

$extension = substr($name, strpos($name, '.') + 1);

$max_size = 2000000;
if(isset($name) && !empty($name)){
 if(($type == "image/jpeg" || $type == "image/png" || $type == "image/gif" || $type == "application/x-zip-compressed") && ($size<=$max_size)){
  $location = "uploads/";
        
       if(move_uploaded_file($tmp_name, $location.$name)){
   $query = "INSERT INTO `upload` (name, size, type, location) VALUES ('$name', '$size', '$type', '$location$name')";
          $result = mysqli_query($connection, $query);
   
   $smsg = "Caricamento riuscito."; 
  }else{
   $fmsg = "Caricamento fallito";
  }
 }else{
  $fmsg = "Il file deve avere una dimesione inferiore a 2 mb e in formato: jpeg, png, gif, zip";
 }
}else{
 $fmsg = "Seleziona un file";
}

?>
<html>
<head>
 <title>Carica file</title>
 
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" >

<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap-theme.min.css" >

<link rel="stylesheet" href="styles.css" >

<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>

<div class="container">
<?php //echo $name; ?>
<?php //echo $size; ?>
<?php //echo $type; ?>
<?php //echo $tmp_name; ?>
      <form class="form-signin" method="POST" enctype="multipart/form-data">
      <?php if(isset($smsg)){ ?><div class="alert alert-success" role="alert"> <?php echo $smsg; ?> </div><?php } ?>
      <?php if(isset($fmsg)){ ?><div class="alert alert-danger" role="alert"> <?php echo $fmsg; ?> </div><?php } ?>      
        <h2 class="form-signin-heading">Upload File</h2>
   <div class="form-group">
     <label for="exampleInputFile">Scegli file</label>
     <input type="file" name="file" id="exampleInputFile">
     <p class="help-block">Carica file in formato JPEG, PNG, GIF, ZIP inferiori a 2 MB</p>
   </div>
        <button class="btn btn-lg btn-primary btn-block" type="submit">carica</button>
      </form>
</div>

</body>

</html>

This is the ultimate working solution. Thank you @ADyson for your precious help. If there are further steps to improve the script they are well-received

Giorgio Papa
  • 11
  • 4
  • No problem. As someone else mentioned in the comments above, the next thing you should improve is to remove the vulnerability to SQL Injection attacks. The links given by the original commenter contain some examples of the risks and also examples of how to code your queries safely in PHP. – ADyson Sep 16 '17 at 05:37
0

Giorgio by default in pхp.ini are set 2 MB :upload_max_filesize = 2M maybe in order - 824 .You need to change it with the values you want.

Martin Kanchev
  • 1
  • 2