SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Zealot
    Join Date
    Dec 2005
    Location
    New York, NY, U.S.
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best way to tell if uploaded files are images

    I am about to write a few scripts to create a gallery of photos uploaded by visitors. I would like to be able to check whether the files are certain types of not (jpeg, png, bmp, probably gif but I heard there's a vulnerability, any others I should allow?). I should probably check for a maximum size and some other things. There will also be an admin section to approve and disapprove the photos. I would like to know the best way to go about checking if the files are certain types. I plan on putting them in one folder upon upload and then when approved moving them to another where they will be used. Mostly I'm doing this because the gallery scripts I have found are not satisfactory for me. Any help on how to determine the files types best as well as just any input regarding the way i'm going about this and if there's a better way. Thanks.

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    getimagesize — Get the size of an image
    function will read the header of the file to find out if it's an image or not
    getimagesize
    my mobile portal
    ghiris.ro

  4. #4
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When a correct signature is found, the appropriate constant value will be returned otherwise the return value is FALSE. The return value is the same value that getimagesize() returns in index 2 but exif_imagetype() is much faster.

    I didn't know that

    Thanks
    my mobile portal
    ghiris.ro

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    The only disadvantaged to exif_imagetype() is you need a fairly new install of PHP version 4.3.0 or higher. (Recommends latest PHP5!)
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  6. #6
    Non-Member
    Join Date
    Jun 2007
    Posts
    254
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Image Size

    Quote Originally Posted by Ernie1 View Post
    getimagesize — Get the size of an image
    function will read the header of the file to find out if it's an image or not
    getimagesize
    Ernie1,

    How do I use getimagesize() on the following code, then echo the width and the height of the image on the screen.

    Display Images:

    Code:
    <link rel="stylesheet" type="text/css" href="Index.css" />
     
    <?php
    $con = mysql_connect("localhost","peter","abc123");
    if (!$con)
    {
      die('Could not connect: ' . mysql_error());
    }
     
    mysql_select_db("TS", $con);
     
    $result = mysql_query("SELECT * FROM Images");
     
    while($row = mysql_fetch_array($result))
    {
      echo '<img class="Thumbnails" src="' . $row['Path'] . '" />';
      echo $row['Caption'];
    }
     
    mysql_close($con);
    ?>
    Upload Images:

    Code:
    <?php
    $con = mysql_connect("localhost","peter","abc123");
    if (!$con)
    {
      die('Could not connect: ' . mysql_error());
    }
    
    mysql_select_db("TS", $con);
    
          $sql="INSERT INTO Images (caption)
          VALUES
          ('$_POST[caption]')";  
    
    if (($_FILES["file"]["type"] == "image/bmp")
    || ($_FILES["file"]["type"] == "image/jpeg")
    && ($_FILES["file"]["size"] < 90000))
    {
      if ($_FILES["file"]["error"] > 0)
      {
        echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
      }
      else
      {
        echo "Upload: " . $_FILES["file"]["name"] . "<br />";
        echo "Type: " . $_FILES["file"]["type"] . "<br />";
        echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
        echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
    
        if (file_exists("upload/" . $_FILES["file"]["name"]))
        {
          echo $_FILES["file"]["name"] . " already exists. ";
        }
        else
        {
          $file = ("upload/" . $_FILES["file"]["name"]);
          move_uploaded_file($_FILES["file"]["tmp_name"],
          "upload/" . $_FILES["file"]["name"]);
          echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
          
          mysql_query("INSERT INTO Images (caption, path)
          VALUES('$_POST[caption]','$file')");
    
    
        }
      }
    }
    else
    {
      echo "Invalid file";
    }
    ?>

  7. #7
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here you go
    PHP Code:
    $con mysql_connect("localhost","peter","abc123");
    if (!
    $con)
    {
      die(
    'Could not connect: ' mysql_error());
    }

    mysql_select_db("TS"$con);

    $imgCheck $_FILES["file"]["tmp_name"];
    if(!
    getimagesize($imgCheck)){
    die(
    "not image");
    }
    $size getimagesize($imgCheck); 
    $width $size[0];
    $height $size[1];
    echo 
    "image width is: " $width "<br/>\n";
    echo 
    "image height is: " $height "<br/>\n";

    if ((
    $_FILES["file"]["type"] == "image/bmp")
    || (
    $_FILES["file"]["type"] == "image/jpeg")
    && (
    $_FILES["file"]["size"] < 90000))
    {
      if (
    $_FILES["file"]["error"] > 0)
      {
        echo 
    "Return Code: " $_FILES["file"]["error"] . "<br />";
      }
      else
      {
        echo 
    "Upload: " $_FILES["file"]["name"] . "<br />";
        echo 
    "Type: " $_FILES["file"]["type"] . "<br />";
        echo 
    "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
        echo 
    "Temp file: " $_FILES["file"]["tmp_name"] . "<br />";

        if (
    file_exists("upload/" $_FILES["file"]["name"]))
        {
          echo 
    $_FILES["file"]["name"] . " already exists. ";
        }
        else
        {
          
    $file = ("upload/" $_FILES["file"]["name"]);
          
    move_uploaded_file($_FILES["file"]["tmp_name"],
          
    "upload/" $_FILES["file"]["name"]);
          echo 
    "Stored in: " "upload/" $_FILES["file"]["name"];
          
          
    mysql_query("INSERT INTO Images (caption, path)
          VALUES('
    $_POST[caption]','$file')");


        }
      }
    }
    else
    {
      echo 
    "Invalid file";

    my mobile portal
    ghiris.ro

  8. #8
    Non-Member
    Join Date
    Jun 2007
    Posts
    254
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best way to tell if uploaded files are images

    Ernie1,

    Using getimagesize() how do I change the size of the image(s) to a set size, whilst keeping the aspect ratio in tact?

    What do you use the array for?

    Code:
    <?php
    $con = mysql_connect("localhost","peter","abc123"); 
    if (!$con) 
    { 
      die('Could not connect: ' . mysql_error()); 
    } 
    
    mysql_select_db("TS", $con); 
    
    $imgCheck = $_FILES["file"]["tmp_name"]; 
    if(!getimagesize($imgCheck)){ 
    die("not image"); 
    } 
    $size = getimagesize($imgCheck); 
    $width = $size[0]; 
    $height = $size[1]; 
    echo "image width is: " . $width . "<br/>\n"; 
    echo "image height is: " . $height . "<br/>\n"; 
    
    if (($_FILES["file"]["type"] == "image/bmp") 
    || ($_FILES["file"]["type"] == "image/jpeg") 
    && ($_FILES["file"]["size"] < 90000)) 
    { 
      if ($_FILES["file"]["error"] > 0) 
      { 
        echo "Return Code: " . $_FILES["file"]["error"] . "<br />"; 
      } 
      else 
      { 
        echo "Upload: " . $_FILES["file"]["name"] . "<br />"; 
        echo "Type: " . $_FILES["file"]["type"] . "<br />"; 
        echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />"; 
        echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />"; 
    
        if (file_exists("upload/" . $_FILES["file"]["name"])) 
        { 
          echo $_FILES["file"]["name"] . " already exists. "; 
        } 
        else 
        { 
          $file = ("upload/" . $_FILES["file"]["name"]); 
          move_uploaded_file($_FILES["file"]["tmp_name"], 
          "upload/" . $_FILES["file"]["name"]); 
          echo "Stored in: " . "upload/" . $_FILES["file"]["name"]; 
           
          mysql_query("INSERT INTO Images (caption, path) 
          VALUES('$_POST[caption]','$file')"); 
    
    
        } 
      } 
    } 
    else 
    { 
      echo "Invalid file"; 
    } 
    ?>

  9. #9
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,805
    Mentioned
    157 Post(s)
    Tagged
    3 Thread(s)
    Salchester, on the http://www.php.net/getimagesize page there are some user contributed notes - some of which deal with image resizing whilst maintaining the aspect ratio.

    http://www.php.net/manual/en/functio...size.php#52099
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  10. #10
    Non-Member
    Join Date
    Jun 2007
    Posts
    254
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Best way to tell if uploaded files are images

    How do I add my database details to the code found at?: http://www.php.net/manual/en/functio...size.php#52099

    Code:
    <link rel="stylesheet" type="text/css" href="Index.css" />
    <script src="Thumbnails.js"></script>
     
    <?php
    $con = mysql_connect("localhost","peter","abc123");
    if (!$con)
    {
      die('Could not connect: ' . mysql_error());
    }
     
    mysql_select_db("TS", $con);
     
    $result = mysql_query("SELECT * FROM Images");
     
    while($row = mysql_fetch_array($result))
    {
      echo '<img class="Thumbnails" src="' . $row['Path'] . '" />';
      echo $row['Caption'];
    }
     
    mysql_close($con);
    ?>

  11. #11
    SitePoint Wizard wheeler's Avatar
    Join Date
    Mar 2006
    Location
    Gold Coast, Australia
    Posts
    1,369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    do you have a concept of how to construct a php document?

    your database details generally are included as a separate include file,
    PHP Code:
    require 'path/to/connection/file.php'
    so thats the connection out of the way.

    Your loop that is designed to show the thumbnails - I don't see the relevance of this to formatting an image? You want to break your code into logical files and functions.

    For simplicity, one page should handle your image uploading, another page is better suited to browsing through the current data.
    Studiotime - Time Management for Web Developers
    to-do's, messages, invoicing, reporting - 30 day free trial!
    Thomas Multimedia Web Development

  12. #12
    SitePoint Zealot
    Join Date
    Dec 2005
    Location
    New York, NY, U.S.
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If using exif_imagetype() or getimagesize(), wouldn't that mean the file would have to be uploaded in order for the function to check the headers for the file type? Wouldn't it be safer just to check for a corresponding file extension(s) using regular expressions? Just a thought, I'm unsure, can anyone clarify this? Thanks.

  13. #13
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    no, the file extension can be changed.
    my mobile portal
    ghiris.ro

  14. #14
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    File extension is user supplied it cannot be trusted. Anything user supplied cannot be trusted.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  15. #15
    SitePoint Zealot
    Join Date
    Dec 2005
    Location
    New York, NY, U.S.
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    touch&#233;, a very good point I seem to have overlooked. Should the file field be checked by regular expressions in any way?

  16. #16
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,805
    Mentioned
    157 Post(s)
    Tagged
    3 Thread(s)
    No, using getimagesize is a good way of checking if it is an image or not. A regex will only verify that it has an image type extention.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •