Hi there!
The below code is working fine, but I hoped you could supply me with some enhancements to secure it a little further. Currently, the only check for a gif or jpg file is the file extension, but I wondered if there was a better way of checking this, i.e. the header it sends?
Any other things you notice that could be done better would be appreciated!
if ($_FILES["attached"]["name"]!="") // user is uploading the picture
{
if ($_FILES['attached']['size'] < 50000) // if the size of the image is less than 50kb
{
$updir="/home/roster/staffpics/";
// checking the format
$picformat = strtolower( substr($_FILES['attached']['name'], -3));
if($picformat=='gif' || $picformat=='jpg')
{
$new_name="p_". date("His") ."_". date("dmy").".".$picformat; // renaming the picture into unique name
move_uploaded_file($_FILES["attached"]["tmp_name"],$updir.$new_name) // upload the picture
or die($_FILES["attachment"]["name"].": Oops! There was an error transferring the picture ");
$size = getimagesize($updir.$new_name);
if ($size[0]>300 || $size[1]>300)
{
echo "<p><img src=\"/img/li.gif\" alt=\"\" /> The dimensions of the image are too large (maximum is 300x300)</p>\n";
@unlink($updir.$new_name); // delete the image from the server
}
else
{
$sql="Update user "
." set uploadpicture='".$new_name."' where id_user=".$_POST['idn'];
$result=mysql_query($sql);
}
}
else
{ echo "<p><img src=\"/img/li.gif\" alt=\"\" /> Only .gif and .jpg images are allowed</p>\n"; }
}
else
echo "<p><img src=\"/img/li.gif\" alt=\"\" /> The picture cannot exceed 50kb in size</p>\n";
}
