In my upload script I have an if statement that only allows the following...

"image/jpeg"
"image/jpg"
"imagepjpeg"
"image/gif"
"image/png"

but for some reason users are able to upload "image/bmp"...

Am I doing something wrong? I specifically do not want .bmp's on my server, and for some reason they are getting by. I also checked the actual file, and it is a .bmp file not a .bmp.gif or any tricky extension that might confuse the browser.

Any suggestions?

    Without seing the actual code it is impossible to know if you are doing something wrong.

      Here is the image upload script.

      <?
      
      
      session_start();
      
      $user = $_SESSION['user'];
      
      if ($_SESSION['logged_In']!==true) {
         header('location:loginfailed.php');
      
      } 
      else {
      
      if(isset($_POST['uploadForm']))
      {
      $_SESSION['errors'] = 0;
      $image_Title = $_POST['title'];
      
      
      	if($errors == 0)
      	{
      	$_SESSION['title'] = $image_Title;
      
      
      list($width, $length) = getimagesize($_FILES['upload']['tmp_name']);
      if ($width > 3000 || $length > 3000)
      {
      	header('location:myalbum.php?error2=1');
      } 
      	else
      	{
      
      
      $getimagesize = getimagesize($_FILES['upload']['tmp_name']);
      
      
      if ($getimagesize != true)
      	{
      				header('location:myalbum.php?error2=1');
      	} 
      else
      {
      $target = 'photos/';
      $target = $target ."/". basename($_SESSION['username'].'_'.$_FILES['upload']['name']) ;
      $target = str_replace( " ", "_", $target );
      
      
      if ( ($_FILES['upload']['type'] == "image/jpeg") || ($_FILES['upload']['type'] == "image/jpg") || ($_FILES['upload']['type'] == "image/gif") || ($_FILES['upload']['type'] == "image/png")  || ($_FILES['upload']['type'] == "image/pjpeg"))
      {
      	if ($_FILES['upload']['size'] < 5000000)
      	{
      		if (is_uploaded_file($_FILES['upload']['tmp_name']))
      		{
      
      
      			if(move_uploaded_file($_FILES['upload']['tmp_name'], $target))
      			{
      
      			$name = $_SESSION['username'].'_'.$_FILES['upload']['name'];
      			$name = str_replace( " ", "_", $name );
      			$_SESSION['name'] = $name;
      			$imageSize = $_FILES['upload']['size'];
      			$_SESSION['size'] = $imageSize;
      			$type = $_FILES['upload']['type'];
      			$_SESSION['type'] = $type;
      			$_SESSION['view'] = 1;
      			$_SESSION['tmp'] = $_FILES['upload']['tmp_name'];
      
      
      			$_SESSION['albumUpload'] = $_POST['albumTitle'];
      			header('location:successful.php');		
      
      
      			}
      			else
      		 	{ 
      			header('location:myalbum.php?error2=1');
      		 	}
      
      
      
      		}
      
      
      
      	else
      		{
      		header('location:myalbum.php?error2=1');
      		}
      		}
      else 
      {
      header('location:myalbum.php?error2=1');
      }
      
      }
      else
      { 
      header('location:myalbum.php?error2=1');
      }
      
      }
      }
      
      
      
      	}
      
      }
      
      
      
      
      ?>
      

        In the manual it says:

        $_FILES['userfile']['type']

        The mime type of the file, if the browser provided this information. An example would be [i]"image/gif"[/i]. [/quote]

        In other words it is not a good way to check what file type it is, the file type doesn't have to be sent from the browser. [man]getimagesize[/man] might be a better choise for you.

          So,

          Since I already have the code checking with getimagesize function,
          the best option you are saying is to do say something like taking the mime index and then using that.

          
          $getimagesize = getimagesize($_FILES['upload']['tmp']);
          $imageType = $getimagesize['mime'];
          
          //Then use the if conditional to check $imageType against .gif .png and .jpeg.
          //$imageType returns a string, so I would just check it against "image/gif" and so forth
          
          

            No, I'm not saying that it is the best option. In fact, I have never handled files or images in PHP, so I don't know the best option. But I have seen posts about image types in this forum before, and they recommended to use getimagesize. I have no idea how you should use it or what is best for the rest of the code.

              Write a Reply...