PHP upload code problem with permitted MIME file types...

Question

Hi, I have a file (image) upload script in PHP that I use to upload and resize images... It uses a simple MIME type and size validation so only jpg images are allowed and 1MB max file size.

I recently discovered a problem. When I try tu upload a .avi file using the script, the script processes the file like its the correct MIME type and size and then just do nothing, just takes me back to the upload form without any error message. (Instead of showing a "file too big" message).

I mean, if I try to upload a .gif or .txt or something else I get an error, as expected. If I try to upload any file bigger than 1MB I get an error, as expected. Only when I try to upload a .avi file with more than 1MB I dont get any kind of error..... Well, here the first par of the code:

// define a constant for the maximum upload size
define ('MAX_FILE_SIZE', 1024000);

if (array_key_exists('upload', $_POST)) {
// define constant for upload folder
define('UPLOAD_DIR', 'C:/Wamp/www/Version-1.4/posters_uploaded/');

// replace any spaces in original filename with underscores. At the same time, assign to a simpler variable
$file = str_replace(' ', '_', $_FILES['image']['name']);

// convert the maximum size to KB
$max = number_format(MAX_FILE_SIZE/1024, 1).'kb';
// create an array of permitted MIME types
$permitted = array('image/jpeg','image/pjpeg');
// begin by assuming the file is unacceptable
$sizeOK = false;
$typeOK = false;

// check that file is within the permitted size
if ($_FILES['image']['size'] > 0 && $_FILES['image']['size'] <= MAX_FILE_SIZE) {
 $sizeOK = true;
}
// check that file is of a permitted MIME type
foreach ($permitted as $type) {
 if ($type == $_FILES['image']['type']) {
  $typeOK = true;
 break;
 }
}

if ($sizeOK && $typeOK) {
 switch($_FILES['image']['error']) {
  case 0: // ...................

I'm just modifying a build PHP code so Im no expert... Any suggestions?? Thanks.

Answer 1

http://us3.php.net/manual/en/features.file-upload.common-pitfalls.php

It looks like your upload_max_filesize ini-setting is too low. This would cause no error to be displayed when you upload a very large file such as an AVI video.

The reason you're seeing the errors with text files and .jpg images is likely because the size of those files are greater than 1 MB, but below your upload_max_filesize setting in php.ini.

Try echoing the value of ini_get("max_upload_filesize") and see what the value is if you don't have access to the php.ini file directly.

Answer 2

Above this line:

if ($_FILES['image']['size'] > 0 && $_FILES['image']['size'] <= MAX_FILE_SIZE) {
        $sizeOK = true;
}

Put this:

echo '<pre>' . printr($_FILES) . </pre>;

That will show you what is inside the FILES array, and should make this pretty simple to debug. Try uploading the AVI with the above line added to your script.

Answer 3

I'd also suggest that you don't believe the mime type. Sometimes people have .png or .gif file that have been renamed to .jpg, or they could upload incorrect files intentionally. Use getimagesize to check if these are valid jpeg images.

Answer 4

As john Rasch mentioned above, any file above the php.ini max_upload_filesize will not process at all. so you'll have no chance to test the error for you. you have to assume it was not uploaded and validate it if it was.

---

now that I understand your scenario better I think this is what you can do:

// at the top of your script
$upload_success = FALSE;


// when successfully detected upload
$upload_success = TRUE;



// if successful upload code is never run
$display_error = "File not uploaded, may be too large a file, "
.    "please upload less than 1MB"
;
print $display_error;

---

main point being:

You can't always detect upload files that are too big because they get cut off at a level deeper than where the scripts run.

Answer 5

Don't forget, when uploading files, that there are actually two directives you need to pay attention to in php.ini. One is upload_max_filesize, but the other is post_max_size. Generally, post_max_size should at least be equal to, and probably greater than, upload_max_filesize. You can't upload a file greater than post_max_size, regardless of what you set your upload_max_filesize.

An AVI file won't match the mime types you have listed in your permitted array. After doing your $sizeOK and $typeOK checks, check to see what values they hold, and how your script handles those values. That might hold the key to the behavior of your script.