PHP File Validation using If statements uploads.

Question

Hi I am quite new to php but i have been following some tutorials but they don't seem to work so I have tried to adapt them. I have tested this code and it works to a point but theres something else I can't get my head around, the php file is not uploading (fine) but the details are still being writen to the datbase although the $ok is spose to be set to 0 (not fine). It might be easier if explain what is ment to happen here:

-The User can upload gif or jpeg files. Details added to the db. -The User can upload no file as a default will be used. Details added to the db. -The User should not be able to upload any other file. No record should be on the db, user should have to try again.

My Code so far:

<?php

//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
$ok=0; 


//This gets all the other information from the form
$name= mysql_real_escape_string ($_POST['nameMember']);
$bandMember= mysql_real_escape_string ($_POST['bandMember']);
$pic= mysql_real_escape_string ($_FILES['photo']['name']);
$about= mysql_real_escape_string ($_POST['aboutMember']);
$bands= mysql_real_escape_string ($_POST['otherBands']);

$uploaded_size=$_FILES['photo']['file_size']; 
if ($uploaded_size > 350000)
{
echo "Your file is too large, 35Kb is the largest file you can upload.<br>";
$ok=0;
} 
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
} 

if (!($uploaded_type =="image/jpeg"))
{
echo "JPEG<br>";$ok=1;
} 

if ($uploaded_type =="image/gif")
{
echo "GIf<br>";$ok=1;
} 

if (empty($pic)){
echo "You haven't uploaded a photo, a default will be used instead.<br/>";$ok=1;}


if ($ok==0)
{
Echo "Sorry your file was not uploaded, please try again with the correct format.";
}

//If everything is ok we try to upload it
else
{ 

// Connects to your Database
mysql_connect("localhost", "*******", "******") or die(mysql_error()) ;
mysql_select_db("project") or die(mysql_error()) ;

//Writes the information to the database
mysql_query("INSERT INTO dbProfile (nameMember,bandMember,photo,aboutMember,otherBands)
VALUES ('$name', '$bandMember', '$pic', '$about', '$bands')") ;

//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{

//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory<br/>";
print "<a class=\"blue\" href=\"createMember.php\">Add Another Record</a> | <a class=\"blue\" href=\"listMember.php\">Band Member Profiles and Affiliates Menu</a>";
}
else {

//Gives and error if its not
echo "<p>If you have uploaded a picture there may have been a problem uploading your file.</p>";
print "<a class=\"blue\" href=\"createMember.php\">Add Another Record</a> | <a class=\"blue\" href=\"listMember.php\">Band Member Profiles and Affiliates Menu</a>";
}
}
?>

Cheers in advance. CHL

Answer 1

The error probably is this if statement:

  if (!($uploaded_type =="image/jpeg"))
  {
    echo "JPEG<br>";$ok=1;
  }

Because every time you upload an image that does not have a content type that equals "image/jpeg", $ok evaluates to 1, so everything gets written to the database.

But also notice, that just checking the MIME type like this can get you into trouble, since the user is able to fake the MIME type of a file.

You could use Imagick to get the correct image MIME type, for example. See more details here: http://de2.php.net/manual/en/function.imagick-identifyimage.php

Edit: Just noticed, that $uploaded_type does not get initialized anywhere in your script. As I said, you can do a rough estimation of the MIME type by using $_FILES['photo']['type'].