How to only allow png file types in php

Question

I am trying to experiment with mysql and php and am wondering how to only allow png files to be submitted in a file input from a form. This is my code at the current moment

<html>
<head>
    <title>Profile Picture</title>
</head>
<body>

<?php
echo "<form action='newpfp.php' method='POST' enctype='multipart/form-data'>
    <input type='hidden' name='MAX_FILE_SIZE' value='32768'>
    <label for='screenshot'>Select New Profile Picture</label><br>
    <input type='file' name='screenshot' id='screenshot'><br>
    <input type='submit'>
    </form>
";
if(!empty($_FILES['screenshot']['tmpname'])){
    $newpfp= $_FILES['screenshot']['name'];
    if($newpfp_type=='image/png'){
    echo "<script type='text/JavaScript'>  
    console.log('$newpfp has been added to the thing'); 
    </script>";
    $dbc=mysqli_connect('localhost','root','','project')
    or die('Something bad happened on line 21');
    $query="INSERT INTO portal(profile_picture) VALUES('$newpfp');";
    $result=mysqli_query($dbc,$query)
    or die('Something happened on line 24');
    mysqli_close($dbc)
    or die('Something BAD happened on line 26');
}
}else{
    echo "<script type='text/JavaScript'>  
    prompt('That filetype is not allowed; Allowed file types: gifs, jpgs and png'); 
    </script>";
}
?>
</body>
</html>

But when I try to submit a defaultpic.png file into the form, the Javascript prompt that I am using a wrong filetype comes up. How do I fix this problem

As an aside, see about sql injection and the importance of prepared and bound queries — Strawberry, Sep 28 '20 at 05:48
It's difficult to tell exactly what you are trying to do, but you are aware your PHP is executed when the page is created, not when submitted? Furthermore, you should be checking the file contents, not just the type, as a common script kiddie-level hack is renaming malicious code as `.jpg`. — Ken Y-N, Sep 28 '20 at 05:52
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Sep 28 '20 at 11:09

score 0 · Answer 1 · edited Sep 28 '20 at 06:06

if($newpfp_type=='image/png')

Where your $newpfp_type is declared? It always be NULL. Thats why.

But your code is not good. Put all your php scripts on top of your file. Replace your 'error in line 24' with $mysqli->error to see what really happens... And read about sql incection.

Also in your sql i dont see "Where id = '.$id or something else...its mean that you will be update all your entrys in DB.. be careful

score 0 · Answer 2 · answered Sep 28 '20 at 06:10

You can check by the file extension or file content.

// check from the client file extension which may be not reliable.
$png_mimetype = 'image/png';
if($png_mimetype == $_FILES['screenshot']["type"]){
    // pass
}

// check by the file content
$png_mimetype = 'image/png';
$finfo = finfo_open(FILEINFO_MIME_TYPE); // return mime type ala mimetype extension
$mimetype = finfo_file($finfo, $_FILES['screenshot']["tmp_name"]);
finfo_close($finfo);
if($png_mimetype == $mimetype){
    // pass
}

score -1 · Answer 3 · answered Sep 28 '20 at 06:03

PUtting allowed files types is the good and recommend solution. You can follow below code for fix your issue.

     if(!empty($_FILES['screenshot']['tmpname'])){
        $newpfp = $_FILES['screenshot']['name']; //get file name
        
        $fileExplode = explode('.',$newfp); //explode filename for getting array
        $extension = end($fileExplode); //separating extension
        $allowedFiles = [ //allowed files
            'png','jpg','jpeg','PNG','JPEG','gif,'GIF'
        ];
        if(!in_array($extension, $allowedFiles)){ //check if the file exist in that array
            echo "<script type='text/JavaScript'>   
            prompt('That filetype is not allowed; Allowed file types: gifs, jpgs and png'); 
            </script>";
        }else{ //take another decision
            
            echo "<script type='text/JavaScript'>  
            console.log('$newpfp has been added to the thing'); 
            </script>";
            $dbc=mysqli_connect('localhost','root','','project')
            or die('Something bad happened on line 21');
            $query="INSERT INTO portal(profile_picture) VALUES('$newpfp');";
            $result=mysqli_query($dbc,$query)or die('Something happened on line 24');
            mysqli_close($dbc) or die('Something BAD happened on line 26');
    }
}

You should now modify your code accoroding to your requirements

How to only allow png file types in php

3 Answers3