PHP Validating the File Upload [duplicate]

Answer 1

Your new code only checks the extension of the file and the size of the file. It doesn't checks the type of the file.

I will strongly recommend to use your old code because there it checks the file type also.

Answer 2

You should pass the tmp_name of the file* to getimagesize, it will give you the size and type of the image (if it is an image). If the passed argument is a file but not an image it returns false, that will allow you to validate.

Edit: The only reliable method of image validation is to make a copy of it using GD or Imagick - getimagesize can be easily hacked.

*: I mean, the temporal file created after upload.

For example:

if ($_SERVER['REQUEST_METHOD'] === 'POST')
{
    $file = $_FILES['file']['tmp_name'];
    if (file_exists($file))
    {
        $imagesizedata = getimagesize($file);
        if ($imagesizedata === FALSE)
        {
            //not image
        }
        else
        {
            //image
            //use $imagesizedata to get extra info
        }
    }
    else
    {
        //not file
    }
}

This code uses file_exists just to be general. In case no file were uploaded you would get $_FILES['file']['size'] = 0, $_FILES['file']['tmp_name'] = '' and $_FILES['file']['error'] = 4. See also is_readable. For the error values see file upload errors explained at php.net.

Answer 3

$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))

This is checked twice because, the extension of the file and 'file type' can be differ, so someone can not upload executable file with .png extension.

In your modified code, it is possible to upload a different type of file with modified extension. like they can upload word document with '.png' extension.

Your new code is just checking extension and don't have double check.