PHP Upload Script

[CrAz3D]

Please bare with me, my php knowledge is quite limited.  I am trying to restrict the upload type to only gif, jpeg, & png images.  This is what I have for that.

Code Select Expand

The maximum size for a file is 20000 bytes.
<form enctype="multipart/form-data" action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="20000">
File: <input name="userfile" type="file" /><br />
<input type="submit" value="Upload" />
</form>

<a href="http://crazedmind.net/">CrAz3D MiND</a>
</center>
<?php

if (@is_uploaded_file($_FILES["userfile"]["type"] !="image/gif" AND $_FILES["userfile"]["type"] !="image/pjpeg")){
      echo "<p>Invalid file type</p>";
      unlink($_FILES["userfile"]["tmp_name"]);
      
      }
      else
      {
      
if (@is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
        copy($_FILES["userfile"]["tmp_name"], "files/" . $_FILES["userfile"]["name"]);

        echo "<p>File uploaded successfully.</p>";
      echo "<br>File is located at: http://sigs.crazedmind.net/files/*FILENAME*";
   }   
?>


This is what I have before I try to restrict the files:

Code Select Expand

The maximum size for a file is 20000 bytes.
<form enctype="multipart/form-data" action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="20000">
File: <input name="userfile" type="file" /><br />
<input type="submit" value="Upload" />
</form>

<a href="http://crazedmind.net/">CrAz3D MiND</a>
</center>
<?php

      
if (@is_uploaded_file($_FILES["userfile"]["tmp_name"])) {
        copy($_FILES["userfile"]["tmp_name"], "files/" . $_FILES["userfile"]["name"]);

        echo "<p>File uploaded successfully.</p>";
      echo "<br>File is located at: http://sigs.crazedmind.net/files/*FILENAME*";
      
?>



The second code works fine but doesn't restrict file type, second one gives me an error on 'line 77' which is the "?>" which closes the php.

If anyone can steer me in the correct direction here I'd appreciate it.

[Skywing]

Note that unless you inspect the file contents yourself, there is nothing stopping somebody from claiming a file is a jpeg but really uploading anything.

[CrAz3D]

I know, I just don't want them to be able to upload php scripts or w/e.

[Kp]

It's usually a very bad idea to put limits like file size clientside (only).  If your script just queries the submitted MAX_FILE_SIZE field and compares that to the file size actually sent, I could easily allow uploading a multi-megabyte file just by saving your form to disk, editing the MAX_FILE_SIZE field, and using my modified form to post back.  Your script would see that I was under the limit I claimed (which was artificially high), and allow it.  I don't see anything in the posted code which actually checks file size at all presently, but this is just a reminder for when you add that check.

Also, if you're trying to keep them from uploading runnable content, you may want to restrict the file extension.  Again, it's fairly arbitrary (they could rename a .php to a .jpg), but if it doesn't have the php extension, it (probably) won't be treated as php by your server.

[Edit: I just found what's wrong with your code.  You should see it pretty readily once you fix your bracing style.  (Hint: line up open and close braces)]

[CrAz3D]

Ok, thnx.

[CrAzY]

Scripts okay, I didn't read over the whole thing so I didn't see any flawls.  I suggest you make it "Prettier" and add more varibles so you script isn't so bunched up.  Just an idea :-)

[CrAzY]

Code Select Expand


<?
$blah = explode($filenamewithfiletypeinit, '.');

if ($blah['1']=="jpg")
{
//Do Script for The Files that You want to accept
}else if($blah['1']=="gif"{
// ''
}else if($blah['1']=="png"{
// '' again
}else{
echo("Invalid File Type!");
}
?>


Just wrote that off the top of my head.  some one correct it if it does't work.  Thank you

[venox]

I would suggest using PHP's EXIF extension.  You can view some stuff about it at http://us2.php.net/exif  hope this helps