File upload issues in PHP

Question

Hi i'm trying to upload an image using a php script. And whats really weird is i get the following error only in Internet Explorer everywhere else script works fine:

Warning: move_uploaded_file(pictures/) [function.move-uploaded-file]: failed to open stream: Is a directory in /home/tntauto1/public_html/admin_add1.php on line 59

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpcJnHZE' to 'pictures/' in /home/tntauto1/public_html/admin_add1.php on line 59

Warning: copy() [function.copy]: The first argument to copy() function cannot be a directory in /home/tntauto1/public_html/admin_add1.php on line 60

Here is the Script:

if(is_uploaded_file($_FILES['image']['tmp_name'])){
    if($_FILES['image']['type'] == 'image/jpeg'){
     $original = 'original_'.$v_id.'.jpg';
     $large = 'large_'.$v_id.'.jpg';
     $small = 'small_'.$v_id.'.jpg';

    }elseif($_FILES['image']['type'] == 'image/gif'){
     $original = 'original_'.$v_id.'.gif';
     $large = 'large_'.$v_id.'.gif';
     $small = 'small_'.$v_id.'.gif';
    }else{
     $error = 'Error: The image could not be uploaded. It must be in .jpg, .jpeg or .gif format.';
    }
    if(move_uploaded_file($_FILES['image']['tmp_name'],'pictures/'.$large)){}
     copy('pictures/'.$large,'pictures/'.$small);

    $imgsize = getimagesize('pictures/'.$large); //>>>>>>>>>>>>>>>>>>>>>>>>>>>>---- Resize to 480 X 360
    $width = $imgsize[0];
    $height = $imgsize[1];
    if(($width > 480) || ($height > 360)){//resize the image
     $ratio = $width / $height;
     if(100 / $ratio >= 80){//calculates if height of uploaded image is too large
      $new_width = floor(360 * $ratio);
      $new_height = 360;
     }elseif(150 * $ratio > 100){// calculate if width of uploaded image is too large
      $new_width = 480;
      $new_height = floor(480 / $ratio);
     }
     if($_FILES['image']['type'] == 'image/jpeg'){
      $img = imagecreatefromjpeg('pictures/'.$large);
      $img_copy = imagecreatetruecolor($new_width,$new_height);
      imagecopyresampled($img_copy,$img,0,0,0,0,$new_width,$new_height,$width,$height);
      imagejpeg($img_copy,'pictures/'.$large,100); 
     }
     if($_FILES['image']['type'] == 'image/gif'){
      $img = imagecreatefromjpeg('pictures/'.$large);
      $img_copy = imagecreatetruecolor($new_width,$new_height);
      imagecopyresampled($img_copy,$img,0,0,0,0,$new_width,$new_height,$width,$height);
      imagejpeg($img_copy,'pictures/'.$large,100); 
     }
    }

Answer 1

Have you checked the mimetype provided by internet explorer. Internet Explorer often sends slightly non-standard mimetypes.

It's helpful to use getimagesize and check the return value for the image type, to avoid browser issues.

Answer 2

You can't move a directory, because $large has no value, or is reset.

Answer 3

if($FILES['image']['type'] == 'image/jpeg'){

Variable that holds file upload data should be $_FILES. Since $FILES is an empty (just used) variable, your $large variable is also empty so you're moving a file to the pictures/ which is a directory, just like PHP told you. Your $error should also contain the error message since none of the ifs before it is true.

One way of avoiding errors like this is to develop with error_reporting set to E_ALL that would have displayed a notice that your $FILES variable (a typo) is undefined.

Answer 4

if($_FILES['image']['type'] == 'image/jpeg'){

Never rely on the MIME type submitted by the browser.

In this case your problem is as david alluded to: IE usually (wrongly) supplies image/pjpeg for JPEGs, so you're detecting an unknown filetype and setting $error to Error: The image could not be uploaded. It must be in .jpg, .jpeg or .gif format.... but then despite that you still try to move the file anyway, despite not having set $small or $large.

But more than that, the browser-submitted type is likely to be completely wrong. You can't trust the uploaded filename or media type to be appropriate, so don't even bother check them. Instead, look at $imgsize[2] after your call to getimagesize to find out what type PHP thinks the image is.

And... if you are accepting image uploads from general users, you've got a security problem. It's perfectly possible to create a valid GIF (or other filetype) that contains HTML tags. Then when bloody-stupid-IE comes along to access the GIF as a page on its own it'll detect the HTML tags, decide the Content-Type you told it must be wrong, and interpret it as an HTML page instead, including any JavaScript in there, which then executes in your site's security context.

If you have to allow file uploads from an untrusted source and you're not processing the images yourself (which would usually have the side-effect of removing unwanted HTML), you generally have to serve your images from a different hostname to avoid them scripting into your site.