Multiple Fimage upload validation not working

Beginners - Learning PHP
#1

In this code to upload multiple images to a different folder each time, it creates a new folder and moves files to it, but the validation part is not working ! if i remove the validation part the files are uploaded correctly!!

I have mentioned using comments that in which area the problem i think is coming!

If someone can then please help!

here’s the code:

[php]

<?php error_reporting(0); $contact_name = $_POST['contact_name']; $id=rand(1,9999999); //this will give us a random value to create a unique directory if(!is_dir("uploads/".$id)){ //this checks to make sure the directory does not already exist mkdir("uploads/".$id.$contact_name, 0777, true); //if the directory doesn't exist then make it chmod("uploads/".$id, 0777); //chmod to 777 lets us write to the directory } $uploaddir='uploads/' . $id.$contact_name.'/'; //lets put the directory into a variable notice added slash on end foreach($_FILES["uploads"]["name"] as $bla=> $boo){ //we have to do a loop to get all the filenames $file=$uploaddir.$boo; //we will check the filename in the upload directory, see if it exists if (file_exists($file)) { //if it exists then ...... die("Filename already exists, please rename this file"); //if filename exists in the directory then we die!!! :P } } foreach ($_FILES["uploads"]["error"] as $key => $error) { if ($error == UPLOAD_ERR_OK) { echo"$error_codes[$error]"; // let you know if there was an error on any uploads move_uploaded_file( //php function to move the file $_FILES["uploads"]["tmp_name"][$key], //from the temporary directory $uploaddir. $_FILES["uploads"]["name"][$key] //to the directory you chose ) or die("Problems with upload"); } } foreach($_FILES["uploads"]["name"] as $bla=> $boo){ $file=$uploaddir.$boo; echo"Click here to see".$file."
"; } /* THE PROBLEM IS IN HERE SOMEWHERE BECAUSE WHEN I REMOVE THIS PART, THE SCRIPT RUNS SUCCESSFULLY */ $allowedExtensions = array("jpg","jpeg","gif","png"); foreach ($_FILES as $file) { if ($file['tmp_name'] > '') { if (!in_array(end(explode(".", strtolower($file['name']))), $allowedExtensions)) { die($file['name'].' is an invalid file type!
'. ''. '<&lt Go Back'); } } } ?>

[/php]

#2

Well, first, why do you check for valid extensions after you upload them? This should be done on the form page before it get’s submitted… When you do the browse, only allow for browsing to the ones you allow. Or, when posted, you should check for them first.

So, anyway, the code you posted for checking extensions:
[php]

  if (!in_array(end(explode(".", strtolower($file['name']))), $allowedExtensions)) {
   die($file['name'].' is an invalid file type!<br/>'.
    '<a href="javascript:history.go(-1);">'. '&lt;&lt Go Back</a>');
  }

[/php]
Is a bit odd. First, PHP’s “in_array” doesn’t care about caps, so the strtolower is useless.
Also, you use three functions to get to the extension. End, Explode, strtolower… I would just
use something like: substr($file[‘name’], 0, -4); (This assumes last 3 chars are extension!)

But, anyway, the code is sound and should work. I just do not understand why you are running this after the files are uploaded…
Another way to test this is to display notes in your code to see where it it dying.
Use something like … die (“got here…”); in your code and find out where it no longer displays it…
Put it in one place, if it displays it, move it further down the code, etc… Eventually you will find where it dies.

Let us know what happens…

#3

wholy hot damn, that’s a lot of code just to check the extention. You don’t even have to do that. $_FILE contains all the file info you’ll need to validate it. And checking it the way you’re doing it leaves a lot security holes open because i can rename a file to any file type and it’ll pass your validation. If you check the mime type, a php file (for example) won’t pass it.

This is a script i used to use on a profile page to validate user profile images.
[php]
// define() was located at the top of the page
define(‘USER_DIR’, $_SESSION[‘name’]);

if(!is_dir(‘images/’.USER_DIR.’/’)) {
mkdir(‘images/’.USER_DIR.’/’);
define (‘UPLOAD_DIR’, ‘images/’.USER_DIR);
} else {
define (‘UPLOAD_DIR’, ‘images/’.USER_DIR);
}

if($FILES[‘pic’]) {
$filename = str_replace(’ ', '’, $_FILES[‘pic’][‘name’]);
$photo = $filename;

$size = $_FILES['pic']['size'];
$file = str_replace(' ', '_', $_FILES['pic']['name']);
$permitted = array('image/jpeg', 'image/pjpeg');
$sizeOK = false;
$typeOK = false;
	
$max = number_format(MAX_FILE_SIZE / 1024, 1).' KB';
	
if($_FILES['pic']['size'] > 0 && $_FILES['pic']['size'] <= MAX_FILE_SIZE) {
	$sizeOK = true;
}
	
foreach ($permitted as $img_type) {
	if ($img_type == $_FILES['pic']['type']) {
		$typeOK = true;
		break;
	}
}

if ($sizeOK && $typeOK) {
	switch($_FILES['pic']['error']) {
		case 0:
			if (!file_exists(UPLOAD_DIR.'/'.$file)) {
				move_uploaded_file($_FILES['pic']['tmp_name'], UPLOAD_DIR.'/'.$filename);
			}
		break;
		case 3:
			$result = "Error uploading $file. Please try again.";
			break;
		default:
			$result = "System error uploading $file. Contact the webmaster.";
	}
} elseif($_FILES['pic']['error'] == 4) {
	$z = mysql_query("SELECT photo FROM profile WHERE profile_id = $id");
	$fk = mysql_fetch_array($z);
	$photo = $fk['photo'];
} else {
	$result = "$file cannot be uploaded. Maximum size: $max. Acceptable file types: .jpg";
}

}[/php]

Sponsor our Newsletter | Privacy Policy | Terms of Service