Best way to tell if uploaded files are images

**Mygly** · Jul 24, 2007 11:29

I am about to write a few scripts to create a gallery of photos uploaded by visitors. I would like to be able to check whether the files are certain types of not (jpeg, png, bmp, probably gif but I heard there's a vulnerability, any others I should allow?). I should probably check for a maximum size and some other things. There will also be an admin section to approve and disapprove the photos. I would like to know the best way to go about checking if the files are certain types. I plan on putting them in one folder upon upload and then when approved moving them to another where they will be used. Mostly I'm doing this because the gallery scripts I have found are not satisfactory for me. Any help on how to determine the files types best as well as just any input regarding the way i'm going about this and if there's a better way. Thanks.

**logic_earth** · Jul 24, 2007 11:42

http://www.php.net/manual/en/functio...-imagetype.php

**Ernie1** · Jul 24, 2007 11:46

getimagesize — Get the size of an image
function will read the header of the file to find out if it's an image or not
getimagesize

**Ernie1** · Jul 24, 2007 11:48

Originally Posted by logic_earth

http://www.php.net/manual/en/functio...-imagetype.php

When a correct signature is found, the appropriate constant value will be returned otherwise the return value is FALSE. The return value is the same value that getimagesize() returns in index 2 but exif_imagetype() is much faster.

I didn't know that

Thanks

**logic_earth** · Jul 24, 2007 12:05

The only disadvantaged to exif_imagetype() is you need a fairly new install of PHP version 4.3.0 or higher. (Recommends latest PHP5!)

**Salchester** · Jul 24, 2007 13:25

Originally Posted by Ernie1

getimagesize — Get the size of an image
function will read the header of the file to find out if it's an image or not
getimagesize

Ernie1,

How do I use getimagesize() on the following code, then echo the width and the height of the image on the screen.

Display Images:

Code:

<link rel="stylesheet" type="text/css" href="Index.css" />
 
<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}
 
mysql_select_db("TS", $con);
 
$result = mysql_query("SELECT * FROM Images");
 
while($row = mysql_fetch_array($result))
{
  echo '<img class="Thumbnails" src="' . $row['Path'] . '" />';
  echo $row['Caption'];
}
 
mysql_close($con);
?>

Upload Images:

Code:

<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

mysql_select_db("TS", $con);

      $sql="INSERT INTO Images (caption)
      VALUES
      ('$_POST[caption]')";  

if (($_FILES["file"]["type"] == "image/bmp")
|| ($_FILES["file"]["type"] == "image/jpeg")
&& ($_FILES["file"]["size"] < 90000))
{
  if ($_FILES["file"]["error"] > 0)
  {
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
  }
  else
  {
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("upload/" . $_FILES["file"]["name"]))
    {
      echo $_FILES["file"]["name"] . " already exists. ";
    }
    else
    {
      $file = ("upload/" . $_FILES["file"]["name"]);
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "upload/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
      
      mysql_query("INSERT INTO Images (caption, path)
      VALUES('$_POST[caption]','$file')");


    }
  }
}
else
{
  echo "Invalid file";
}
?>

**Ernie1** · Jul 24, 2007 13:52

Here you go

PHP Code:


$con = mysql_connect("localhost","peter","abc123");

if (!$con)

{

  die('Could not connect: ' . mysql_error());

}



mysql_select_db("TS", $con);



$imgCheck = $_FILES["file"]["tmp_name"];

if(!getimagesize($imgCheck)){

die("not image");

}

$size = getimagesize($imgCheck); 

$width = $size[0];

$height = $size[1];

echo "image width is: " . $width . "<br/>\n";

echo "image height is: " . $height . "<br/>\n";



if (($_FILES["file"]["type"] == "image/bmp")

|| ($_FILES["file"]["type"] == "image/jpeg")

&& ($_FILES["file"]["size"] < 90000))

{

  if ($_FILES["file"]["error"] > 0)

  {

    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";

  }

  else

  {

    echo "Upload: " . $_FILES["file"]["name"] . "<br />";

    echo "Type: " . $_FILES["file"]["type"] . "<br />";

    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";

    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";



    if (file_exists("upload/" . $_FILES["file"]["name"]))

    {

      echo $_FILES["file"]["name"] . " already exists. ";

    }

    else

    {

      $file = ("upload/" . $_FILES["file"]["name"]);

      move_uploaded_file($_FILES["file"]["tmp_name"],

      "upload/" . $_FILES["file"]["name"]);

      echo "Stored in: " . "upload/" . $_FILES["file"]["name"];

      

      mysql_query("INSERT INTO Images (caption, path)

      VALUES('$_POST[caption]','$file')");





    }

  }

}

else

{

  echo "Invalid file";

}

**Salchester** · Jul 24, 2007 14:05

Ernie1,

Using getimagesize() how do I change the size of the image(s) to a set size, whilst keeping the aspect ratio in tact?

What do you use the array for?

Code:

<?php
$con = mysql_connect("localhost","peter","abc123"); 
if (!$con) 
{ 
  die('Could not connect: ' . mysql_error()); 
} 

mysql_select_db("TS", $con); 

$imgCheck = $_FILES["file"]["tmp_name"]; 
if(!getimagesize($imgCheck)){ 
die("not image"); 
} 
$size = getimagesize($imgCheck); 
$width = $size[0]; 
$height = $size[1]; 
echo "image width is: " . $width . "<br/>\n"; 
echo "image height is: " . $height . "<br/>\n"; 

if (($_FILES["file"]["type"] == "image/bmp") 
|| ($_FILES["file"]["type"] == "image/jpeg") 
&& ($_FILES["file"]["size"] < 90000)) 
{ 
  if ($_FILES["file"]["error"] > 0) 
  { 
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />"; 
  } 
  else 
  { 
    echo "Upload: " . $_FILES["file"]["name"] . "<br />"; 
    echo "Type: " . $_FILES["file"]["type"] . "<br />"; 
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; 
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />"; 

    if (file_exists("upload/" . $_FILES["file"]["name"])) 
    { 
      echo $_FILES["file"]["name"] . " already exists. "; 
    } 
    else 
    { 
      $file = ("upload/" . $_FILES["file"]["name"]); 
      move_uploaded_file($_FILES["file"]["tmp_name"], 
      "upload/" . $_FILES["file"]["name"]); 
      echo "Stored in: " . "upload/" . $_FILES["file"]["name"]; 
       
      mysql_query("INSERT INTO Images (caption, path) 
      VALUES('$_POST[caption]','$file')"); 


    } 
  } 
} 
else 
{ 
  echo "Invalid file"; 
} 
?>

**spikeZ** · Jul 24, 2007 14:16

Salchester, on the http://www.php.net/getimagesize page there are some user contributed notes - some of which deal with image resizing whilst maintaining the aspect ratio.

http://www.php.net/manual/en/functio...size.php#52099

**Salchester** · Jul 24, 2007 14:51

How do I add my database details to the code found at?: http://www.php.net/manual/en/functio...size.php#52099

Code:

<link rel="stylesheet" type="text/css" href="Index.css" />
<script src="Thumbnails.js"></script>
 
<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}
 
mysql_select_db("TS", $con);
 
$result = mysql_query("SELECT * FROM Images");
 
while($row = mysql_fetch_array($result))
{
  echo '<img class="Thumbnails" src="' . $row['Path'] . '" />';
  echo $row['Caption'];
}
 
mysql_close($con);
?>

**wheeler** · Jul 24, 2007 19:18

do you have a concept of how to construct a php document?

your database details generally are included as a separate include file,

PHP Code:


require 'path/to/connection/file.php';

so thats the connection out of the way.

Your loop that is designed to show the thumbnails - I don't see the relevance of this to formatting an image? You want to break your code into logical files and functions.

For simplicity, one page should handle your image uploading, another page is better suited to browsing through the current data.

**Mygly** · Jul 26, 2007 08:04

If using exif_imagetype() or getimagesize(), wouldn't that mean the file would have to be uploaded in order for the function to check the headers for the file type? Wouldn't it be safer just to check for a corresponding file extension(s) using regular expressions? Just a thought, I'm unsure, can anyone clarify this? Thanks.

**Ernie1** · Jul 26, 2007 08:34

no, the file extension can be changed.

**logic_earth** · Jul 26, 2007 08:54

File extension is user supplied it cannot be trusted. Anything user supplied cannot be trusted.

**Mygly** · Jul 26, 2007 09:05

touché, a very good point I seem to have overlooked. Should the file field be checked by regular expressions in any way?

**spikeZ** · Jul 26, 2007 15:09

No, using getimagesize is a good way of checking if it is an image or not. A regex will only verify that it has an image type extention.

User Tag List

Thread: Best way to tell if uploaded files are images

Thread Tools

Display