hello. i've done some searches on this, but haven't seen anything that leads me in the right direction. basically, i have a form on my page where i want the users to be able to upload an image file (.jpg or .gif only). i have them upload it, then i verify that the file uploaded is what i think it is, and if it's a correct image (according to my specifications), i display the image. however, i have yet to be able to get an image to display properly, and have no idea what's wrong. anyway, here's my form code:

<form enctype="multipart/form-data" name="addlistingform" method="post" action="addlistingprocess.php?action=do">
<input type="hidden" name="MAX_FILE_SIZE" value="102400" />
<input name="picture" type="file" size="30" />
<input value="Submit Listing" name="submit" type="submit" />

And here's the code for the PHP file that processes the form:

$picture = '';

//first we verify that something was uploaded
if (($_FILES['picture']['size'] != 0) && (file_exists($_FILES['picture']['tmp_name'])))
{
	//checks and sees if there were any errors during the upload process else
	//sets the $picture variable to equal the uploaded file
	if ($_FILES['picture']['error'] > 0)
	{
		switch ($_FILES['picture']['error'])
		{
			//file size is greater than that allowed by PHP as set in php.ini
			case 1:	errorcheck(1, '<B>File size exceeded maximum allowable file size of                 

                                   100k.</B><P>'); break;
			//file size is greater than that allowed by MAX_FILE_SIZE as set in form
			case 2: errorcheck(1, '<B>File size exceeded maximum allowable file size of 
                                   100k.</B><P>'); break;
			case 3: errorcheck(1, '<B>File only partially uploaded.</B><P>'); break;
			case 4: errorcheck(1, '<B>No file uploaded.</B><P>'); break;
			default: errorcheck(1, '<B>An unknown file upload error occurred.</B><P>'); break;
		}
		exit;	
	}
	else
		$picture = $_FILES['picture']['tmp_name'];

//need to check and make sure file MIME type is acceptable
if (($_FILES['picture']['type'] != 'image/jpeg') && ($_FILES['picture']['type'] != 'image/jpg') && 
    ($_FILES['picture']['type'] != 'image/gif') && ($_FILES['picture']['type'] != 'image/pjpeg'))
{
	errorcheck(1, '<B>1File is not of correct type. <BR />Valid file types are ".JPG", ".JPEG", or 
            ".GIF".</B><P>');
}

//this is a simple quick test. if accessing the filename picture is impossible, 
//or if it isn't a valid picture, getimagesize() will return FALSE.
if (!getimagesize($picture))
{
	errorcheck(1, '<B>2File is not of correct type. <BR />Valid file types are ".JPG", ".JPEG", or 
            ".GIF".</B><P>');
}

//checks if $picture is an uploaded file
if (is_uploaded_file($picture))
{
	//checks if file size is less than 100k
	if (filesize($picture) <= 102400)
	{
		//double-checking filetype as the 'type' field check from above 
		//isn't always reliable or secure
		$name = $_FILES['picture']['name'];
		$temparray = explode(".", $name);
		$ext = array_pop($temparray);
		if (($ext == "jpg") || ($ext == "jpeg") || ($ext == "JPG") || ($ext == "JPEG") || ($ext == 
                    "gif") || ($ext == "GIF"))
		{
			//file passes all checks and tests and is an image 
			//file of appropriate type
			$picture = mysql_real_escape_string(file_get_contents($picture));
		}
		else
		{
			errorcheck(1, '<B>3File is not of correct type. <BR />Valid file types are ".JPG", 
                            ".JPEG", or ".GIF".</B><P>');
		}
	}
	//if it's not less than 100k
	else
	{
		errorcheck(1, "<B>File size has exceeded maximum allowable file size of 100k.</B><P>");
	}
}
//if file is not uploaded or there is problem with the tmp directory
else
{
	errorcheck(2, 'File not uploaded or there is a problem with the "upload_tmp_dir" directory');
}

//if file is uploaded successfully
$uploadsuccess = 1;
}
//no file was selected for upload from our form
//else{ }

//this is just some error checking.  if file was uploaded successfully, 
//then display the image
if ($uploadsuccess === 1)
{
	//reformats the file contents for display
	$fp = fopen($picture, 'r');
	$contents = fread($fp, filesize($picture));
	fclose($fp);
	$contents = strip_tags($contents);
	$fp = fopen($picture, 'w');
	fwrite($fp, $contents);
	fclose($fp);
	echo '<B>Picture:</B><P>'.$contents;
}

Anyway, basically, this doesn't seem to be working right. Some parts work. Like if I try and upload a .txt or a .doc or a .bat, it correctly tells me that the file is an incorrect type (I think it catches this in the part where I check the MIME type). However, most other file types or sizes (regardless of my error checking), seem to get through with no errors, but either $uploadsuccess stays equal to 0, or if it does get properly set to 1, then I end up with fatal PHP errors when performing the fopen().

I was thinking that the problem might be with upload_tmp_dir. When I check phpinfo(), it comes back that upload_tmp_dir has "no value", but my web hosting company's tech support said the following:
"On the server level, it has been set to below:
Temporary directory for HTTP uploaded files (will use system default if not specified).
upload_tmp_dir =

So it means it will use system default.
And I believe the default temp directory is at /var/tmp or /tmp. It is fully accessible from script."

Anyway, I'm at a complete loss as to why the image isn't getting screened and displayed properly. Any thoughts??? Thanks in advance!

    Maybe this will help . . .

    //instead of checking mime type just check for the correct extension.
//this needs to go at the top of the script
$extlimit = "1"; //set to 0 to allow any file type
$limitedext = array(".jpg", ".gif");//change array to whatever ext you need

//check file extension, this needs to go right after you set $_FILES
$ext = strrchr($file_name,'.');
if (($extlimit == "1") && (!in_array(strtolower($ext),$limitedext))) {
echo("Error: Wrong file extension. ");
exit();
}

      Thanks. Yeah, I'm working on security right now too, so I thought that I would throw in the MIME-type check for redundancy purposes. I was reading through some security articles, and they suggested redundancy over being sorry later. Think it might be overkill? See anything else that's causing uploads not to work properly?

      I tried some more testing and have a question. If a file exceeds the maximum file size (as set by MAX_FILE_SIZE), will this line ever pass with TRUE:

      if (($_FILES['picture']['size'] != 0) && (file_exists($_FILES['picture']['tmp_name'])))

      If so, then how can I tell the difference between a file being rejected at this level or no file being selected to be uploaded? Like I'm guessing if a user doesn't enter anything, there should be a way to read the field to see if there's a pathname/filename entered, and if so, then it means that the file failed the tests. But if the field is blank, it would be safe to assume that nothing is being uploaded, right?

      Thanks.

        OK. I think I figured out the problem. In the PHP manual at:

        http://us2.php.net/manual/en/features.file-upload.php

        It says the following:
        "If no file is selected for upload in your form, PHP will return $FILES['userfile']['size'] as 0, and $FILES['userfile']['tmp_name'] as none."

        However, it doesn't say anywhere that if MAX_FILE_SIZE is exceeded, that this isn't true either, right? Because my if() statement looks like:

        if (($_FILES['picture']['size'] != 0) && ($_FILES['picture']['tmp_name'] != ''))

        And the only time this doesn't pass is if the file size exceeds MAX_FILE_SIZE. So to check in the else() statement the difference between a file not passing and no file being uploaded, I used the following code:

        else
{
	if (isset($_FILES['picture']['name']))
	{
		if ($_FILES['picture']['name'] != '')
		{
			errorcheck(1, '<B>File not uploaded.  Please choose a file that matches our criteria:<br />.JPG, .JPEG, or .GIF only, 100k or smaller in size</B><P>');
		}
	}
}

        Does this seem right to anyone?

          Write a Reply...