The following statement tests the correct image type and size has been submitted. It checks for the correct file type but it is letting images of more than 1024kb through, and I was wondering if anyone has any idea why?
function validateFileUploads($imageUpload, $documentUpload, $saveFile)
$fErrors = array();
if((!empty($imageUpload)) && ($imageUpload['error'] == 0))
//Check if the file is JPEG image and it's size is less than 350Kb
$filename = basename($imageUpload['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
if((($ext == "jpg") && ($imageUpload["type"] == "image/jpeg"))
||(($ext == "gif") && ($imageUpload["type"] == "image/gif"))
&& ($imageUpload["size"] < 1024))
//proceed with image file save
array_push($fErrors, "Only .jpg or .gif images 1 megabyte or less are accepted for upload");
I’m going to disagree with logic_earth here that purely checking a file using getimagesize and exif_imagetype is sufficient for security. They can both be bypassed by a malicious file that has a malformed header that will pass verification but has active content that will be parsed and executed by php .
That is why you never execute or use the supplied file name by the client. However, using the type value from $_FILE is a no go. Or are you saying one should use that value for determining if the file is an image? If not then you agree with me.
By the way, I never said anything about this being “sufficient security”, please don’t put words in my mouth that I never spoken.
Yes using type from $_FILE is a no go. However, when your code is read by many less skilled php users on this forum, particularly when they see it posted by an experienced person such as yourself, many will take it as a finished and secure item, so it’s worth expanding on.