0

I'm trying to use uploadify and valid the files before it's uploaded. However, this works fine when i'm not using uploadify. But if i do, the file won't upload by itself (auto is set to true)

This is my uploadify.php file for validation

http://pastebin.com/rRHsyX09

If i remove,

if(in_array($type,$array)) and $type = $_FILES['Filedata']['type']

Everything works as it should, but whats wrong with my validation?

Dexty
  • 1,462
  • 6
  • 17
  • 27

1 Answers1

0

First of, please read POST method uploads.

Please note that using the type value that comes from $_FILES is not safe since it is not checked. I suggest having a look at How do I resize and convert an uploaded image to a PNG using GD since it shows how to validate images.

Community
  • 1
  • 1
maaudet
  • 2,338
  • 4
  • 20
  • 28
  • Ok, so if i have an array with allowed types, it's not secure? – Dexty Jun 21 '11 at 17:16
  • @Ronnie Minie Aarebrot not in the context of images checking. I suggest reading in the images guts and finding if they really are images or not. (Ex: I would upload a .php file but make my custom browser report the file as image/png and your script would accept it and I could upload a PHP shell and gain access to your account), EDIT: You'd use your array checking with the real image informations not the ones from $_FILES. – maaudet Jun 21 '11 at 17:20
  • On another note I also suggest on adding a check if the file already exists. If it does just reroll the dices. It's mostly to make sure that the file names won't collide even if the chances are really low. – maaudet Jun 21 '11 at 17:20