[RESOLVED] $_FILES and uploading

rremm2000

Hello and thanks for reading my question.

I have an upload script and it uploads images/resizes and doesn't upload a php script with .php extention. However, if I rename my php script to .jpg and upload it the file is uploaded but thank goodness does not run when I view it in a browser.

My question is why does it even upload ?

I'm using strpos instead of strstr

Here is my call

$FileType = findFileType($_FILES["{$Input}"]['type'], $_FILES["{$Input}"]['name']);

Here is my check


FUNCTION findFileType( $type, $name )
{
    GLOBAL $video_ext;
    // strlen( strpos($mystring, $findme) ); #Alt use strstr( $type, "wav" ) but more memory

    IF ( ( strlen( strpos( $type, "wav" ) ) ) ) {
         RETURN "audio";
    }

    ELSEIF( strlen( strpos( $type, "jpeg" ) ) || strlen( strpos( $type, "jpg" ) ) || strlen( strpos( $type, "gif" ) ) || strlen( strpos( $type, "png" ) ) ){
         RETURN "photo";
    }

    ELSEIF( strlen( strpos( $type, "video" ) ) && strlen( strpos( strtolower( $name ), $video_ext ) ) ){
         RETURN "video";
    }ELSE{
         RETURN "unknown";
    }
}

When I run this it returns as $FileType = photo with a php file that is modified to have a jpg extention.

I want to prevent scripts from being uploaded.

NogDog

From the "Handling file uploads" page:

$_FILES['userfile']['type']

The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore [i]don't take its value for granted[/i].[/quote] (My emphasis)

NogDog

PS: You might want to look at using [man]getimagesize[/man] to get the image type.

rremm2000

If the user uploads the file via the browser and the browser I guess is only checking the file extention then how do we validate the actual mime type or to make sure it really is an image file before we move it from the php temp directory to a public html directory?

rremm2000

can I use getimagesize on the default temp php directory

rremm2000

got it....thanks.....I moved the call to the function findFileType( $type, $name )
further down in the script then used your get getimagesize to fetch the file mime type and applied it to the findFileType and now it comes back with unknown ;-)

Thanks a bunch

NogDog

rremm2000 wrote:
can I use getimagesize on the default temp php directory

I know of no reason why not. Have you tried it?