CODEWITHSUNDEEP
phpmysqlimage-uploading
user2360853
user2360853

Reputation: 51

php script for upload image not working

i have a edit page that allow users to upload a profile image using forms but the problem is that i keep getting the the format is not acceptable even if the image type is one of the accepted format.

this is the code

if(isset($_POST['parse_var']) == "pic")
    {
        if(!$_FILES['fileField']['tmp_name'])
        {
            $errorMSG = '<font color= "#FF0000">Please browse for an Image  Before you press the button.</font>';
        }
        else
        {
            $maxfilesize = 51200;//in bytes =  50kb
            if($_FILES['fileField']['size']>$maxfilesize)
            {
                $errorMSG = '<font color="#FF0000">Your image was too large, please try again.</font>';
                unlink($_FILES['fileField']['tmp_name']);
            }
            elseif(!preg_match("^.(gif|jpg|png)$/i^",$_FILES['fileField']['name']))
            {
                $errorMSG = '<font color="#FF0000">Your Image was not one of the accepted format, please try again</font>';
                unlink($_FILES['fileField']['tmp_name']);
            }
            else
            {
                $newname = "image01.jpg";
                $place_file = move_uploaded_file($_FILES['fileField']['tmp_name'],"members/$id/".$newname);
                $message='<font color="#00FF00>Your Image has been upload successfully</font>';
            }
        }//end else

    }//end if

Upvotes: 2

Views: 155

Answers (1)

Marc B
Marc B

Reputation: 360672

Major problems:

a)

        elseif(!preg_match("^.(gif|jpg|png)$/i^",$_FILES['fileField']['name']))
                            ^---

you should not be using a regex metachar as the pattern delimiter. Try

preg_match('/\.(gif|jpg|png)$/i', ...) instead.

But in a bigger picture view, you shouldn't be matching on filenames at all. Filenames can be forged. You should be doing server-side MIME-type determination (e.g. via file_info()) instead.

b)

you are NOT properly checking for upload success. The presence of a ['tmp_name'] in the $_FILES array means NOTHING. failed uploads can STILL produce a tmp_name, yet you end up with garbage. Always use something like this:

if ($_FILES['fileField']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['fileField']['error']);
}

the error codes are defined here: http://php.net/manual/en/features.file-upload.errors.php

c) (minor)

you do no need to unlink the temp files. PHP does that automatically when the script exits.

d) (stylistically HUGE error)

font tags? in 2013? The 1990s called and want their HTML 1.0 back...

Upvotes: 4

Related Questions