Uploading a profile picture and displaying it

Question

I want users to be able to upload a profile picture (which can be .jpg or .png) and I also want this to be displayed on their profile. I have written some code, based on sources I found here, on Stackoverflow and Google. However, it does not seem to work and I can't find my mistake.

This is the html

        <form action="account_settings.php" method="POST">
            <input type="file" name="profilePicture"><br><br>
            <input type="submit" value="Change!">
        </form>

This is how to uploaded file will be processed.

<?php
include ('inc/header.inc.php');
if(isset($_FILES["profilePicture"]["tmp_name"]) && isset($_FILES["profilePicture"]["name"])) {
    $ext = pathinfo($_FILES['profilePicture']['name'], PATHINFO_EXTENSION);
    $name = $_SESSION['user_login'];
    $tmp_name = $_FILES["profilePicture"]["tmp_name"];
    if($ext == 'png' || $ext == 'jpg') {
         if (isset($tmp_name)) {
            if(!empty($tmp_name)) {
                $location = '../profielfotos/';
                $full_name = $name.'.'.$ext;
                if(move_uploaded_file($tmp_name, $location.$full_name)) {
                    echo 'Photo uploaded!';
                }
                Down here are just some else statements with error reports.

The code below is used to display the image. I have tested it by putting an image in the profile pictures folder and it did display the image. However, there is still a problem. People are allowed to upload .jpg or .png, how can I make the website display the picture (find the profile picture with the right extension).

I have put this code inside the src attribute of the <img>tag.

<?php if ($handle = opendir('profielfotos/')) {
    $file = mysql_real_escape_string($_GET['u']);
    echo 'profielfotos/'.$file.'.png'; 
}
closedir($handle); 

I hope someone can help, thanks in advance! ps. this is my first post ever on stack overflow :-D!

Answer 1

This is totally insecure. Files uploaded by a user shall never ever be stored within the root of the web server.

Instead, put the files somewhere outside of the doc root.

Write a handler, which takes control of he files

• check the mime type by checking the content, not the extension
• have arbitrary names, not the name from the upload, that might interfer (imagine 5 people uploading a "profile.png")
• let the handler deliver the image by an id ("...imagloader?file=4711"),
• name of the file (and extension and location) is stored in a database (with the user record?)

Answer 2

You need to add the following to your form:

<form action="account_settings.php" method="POST" enctype="multipart/form-data">

Otherwise it won't allow a file upload as it expects only text.

Answer 3

Since you are not storing any info about the file uploaded, you just have check which file exists, using he file_exists() method. See here:

http://php.net/manual/en/function.file-exists.php

So your code will become something like this (Not tested):

<?php if ($handle = opendir('profielfotos/')) {
    $file = mysql_real_escape_string($_GET['u']);
    if (file_exists('profielfotos/'.$file.'.png')) {
        echo 'profielfotos/'.$file.'.png';
    } else if (file_exists('profielfotos/'.$file.'.jpg')) {
        echo 'profielfotos/'.$file.'.jpg';
    }
}
closedir($handle);