Can someone please take a look at this and help me do one thing?

I am uploading images to a directory and updating the users record with the photo they upload. Problem is, I could have someone upload a photo with the same name as a photo that is already on the server. If this happens, then the photo for the exsisting profile will be over written.

I am trying to add the userid to the image name and the database record.

Here is my code:

<?php
if($_GET == 'upload')
{
//upload all the fields until done
For($i=0; $i <= $_i-1; $i++)
{
//create a random number
$_random = rand(1, 1000000);
//file with the upload folder
$target_path = $upload_dir . basename($_FILES);
$target_path = str_replace (" ", "", $target_path);
//actual file name with the random number
$_file_name = basename($_FILES);
$_file_name = str_replace (" ", "", $_file_name);
//do not upload the 'left blank' fields
if(basename($_FILES) != '')
{


if(move_uploaded_file($_FILES, $target_path))
{
//uploaded successfuly
$_uploaded=1;
}
else
{
//error uploading
$_error=1;
}
}
else
{
$_check=$_check+1;
}


}


//file(s) did upload
if($_uploaded == '1')
{
$_uploaded=0;
echo "<div style=\"COLOR: #339900; font-size: 8pt; font-weight: bold; padding-top: 10px;\">The file have been uploaded.</div>";


mysql_query("update tbl_accounts set photo = '".$_file_name."' WHERE userID = '$passcode'");



}
//file uploaded?
if($_error == '1')
{
$_error=0;
echo "<div style=\"COLOR: #ff0000; font-size: 8pt; font-weight: bold; padding-top: 10px;\">There was an error uploading some of the file(s), please try again! Maybe the file size is too large. Maximum file size is 3MB</div>";
}
//user selected a file?
if($_check == $_i)
{
$_check=0;
echo "<div style=\"COLOR: #ff0000; font-size: 8pt; font-weight: bold; padding-top: 10px;\">Select a file first than click 'Upload File'</div>";
}
}
echo "</td></tr>";


?>
</table>

Edited 3 Years Ago by happygeek: fixed formatting

it should be like:

do {
$_random = rand(1, 1000000);
$target_file = $upload_dir . $_random . basename($_FILES);

}while(file_exists($target_file);


//now at this point $target_file is unique and u can upload it safely


If you need to give the realfile name, one the user has uploaded (making SEO coool)
then it can be done by putting the realfilename in the database to this $target_file and just rewrite throught .htaccess while accessing the file, adding onemore parameter imageid is required to make the url for each image unique.

Worked great, thanks.

Can you tell me real quick using the same code block how I can block the upload if its not a .GIF or .JPG???

Before going to the above block check like this

if(exif_imagetype($_FILES) != IMAGETYPE_GIF || exif_imagetype($_FILES) != IMAGETYPE_JPEG)
{

//do something
//or as you have for look skip this image and upload next
continue;

}


for more info on exif_imagetype function and its Imagetype Constants:
http://www.php.net/manual/en/function.exif-imagetype.php

I have spent hours and cannot get the above solution to work. It says "Image must be a .GIF or .JPG when its not, but it still uploads image and updates the DB with the file.

Full script below, please help me block all uploads if they are not .GIF or .JPG.

<?php
//edit this
$_max_file_size = '1048576'; //file size in bytes.
$upload_dir = "profile_photos/"; //upload folder..chmod to 777
$_i = "1";                //number of files to upload at one time
//end edit 

echo "<table width=100% border=0 cellpadding=0 cellspacing=0>";
echo "<form enctype='multipart/form-data' action='?do=upload' method='post' style=\"margin: 0px;\">";
echo "<tr><td><input type='hidden' name='MAX_FILE_SIZE' value='" . $_max_file_size , "'></td></tr>";
echo "<tr><td class=bodytext style=\"color: #ff0000;\"><b>Photos MUST be in .JPG or .GIF format and CANNOT be over 1MB in size.</b></td></tr>";
echo "<tr><td>&nbsp;</td></tr>";
echo "<tr><td class=bodytext>Choose your image:<br>";
//show number of files to select
For($i=0; $i <= $_i-1;$i++) 
{
echo "<input name='file" . $i . "' type='file'></td></tr>";
}
echo "<tr><td class=bodytext><input type=submit name=Submit value=\"Upload New Photo\" style=\"font-family: Verdana; font-size: 8pt; font-weight: bold; BACKGROUND-COLOR: #5E6456; COLOR: #ffffff;\"></td></tr>";
echo "<tr><td>&nbsp;</td></tr>";

if($_GET['do'] == 'upload')
{
//upload all the fields until done
For($i=0; $i <= $_i-1; $i++) 
{
//file with the upload folder
$target_path = $upload_dir . $passcode . basename($_FILES['file' . $i]['name']);
$target_path = str_replace (" ", "", $target_path);
//actual file name with the random number
$_file_name = basename($_FILES['file' . $i]['name']);
$_file_name = str_replace (" ", "", $_file_name);
$_file_name = $passcode.$_file_name;
//do not upload the 'left blank' fields
if(basename($_FILES['file' . $i]['name']) != '')
{
if(move_uploaded_file($_FILES['file' . $i]['tmp_name'], $target_path)) 
{
     //uploaded successfuly
    $_uploaded=1;
} 
else
{
    //error uploading
    $_error=1;
}
}
else
{
$_check=$_check+1;
}

}

//file(s) did upload
if($_uploaded == '1')
{
$_uploaded=0;

echo "<tr><td class=redtext>Your photo has been updated.</td></tr>";
echo "<tr><td class=bodytext><a href=editphoto.php>Click Here To Refresh Screen To See New Photo</a></td></tr>";
echo "<tr><td class=bodytext><a href=profile.php>Return to My Account</a></td></tr>";
echo "<tr><td>&nbsp;</td></tr>";

mysql_query("update tbl_accounts set photo = '".$_file_name."' WHERE userID = '$passcode'");

}
//file uploaded?
if($_error == '1')
{
$_error=0;
echo "<div class=redtext>There was an error uploading some of the file(s), please try again! Maybe the file size is too large. Maximum file size is 1MB</div>";
}
//user selected a file?
if($_check == $_i)
{
$_check=0;
echo "<div class=redtext>Select a file first than click 'Upload File'</div>";
}
}
echo "</td></tr>";

?>
</table>

Edited 3 Years Ago by mike_2000_17: Fixed formatting

Try this ..... report full error description if occur

<?php
//edit this
$_max_file_size = '1048576'; //file size in bytes.
$upload_dir = "profile_photos/"; //upload folder..chmod to 777
$_i = "1";                //number of files to upload at one time
//end edit
echo "<table width=100% border=0 cellpadding=0 cellspacing=0>";
echo "<form enctype='multipart/form-data' action='?do=upload' method='post' style=\"margin: 0px;\">";
echo "<tr><td><input type='hidden' name='MAX_FILE_SIZE' value='" . $_max_file_size , "'></td></tr>";
echo "<tr><td class=bodytext style=\"color: #ff0000;\"><b>Photos MUST be in .JPG or .GIF format and CANNOT be over 1MB in size.</b></td></tr>";
echo "<tr><td>&nbsp;</td></tr>";
echo "<tr><td class=bodytext>Choose your image:<br>";
//show number of files to select
For($i=0; $i <= $_i-1;$i++)
{
echo "<input name='file" . $i . "' type='file'></td></tr>";
}
echo "<tr><td class=bodytext><input type=submit name=Submit value=\"Upload New Photo\" style=\"font-family: Verdana; font-size: 8pt; font-weight: bold; BACKGROUND-COLOR: #5E6456; COLOR: #ffffff;\"></td></tr>";
echo "<tr><td>&nbsp;</td></tr>";
if($_GET == 'upload')
{
//upload all the fields until done
For($i=0; $i <= $_i-1; $i++)
{
if(exif_imagetype($_FILES) != IMAGETYPE_GIF || exif_imagetype($_FILES) != IMAGETYPE_JPEG)
{
continue;
}
//file with the upload folder
$target_path = $upload_dir . $passcode . basename($_FILES);
$target_path = str_replace (" ", "", $target_path);
//actual file name with the random number
$_file_name = basename($_FILES);
$_file_name = str_replace (" ", "", $_file_name);
$_file_name = $passcode.$_file_name;
//do not upload the 'left blank' fields
if(basename($_FILES) != '')
{
if(move_uploaded_file($_FILES, $target_path))
{
//uploaded successfuly
$_uploaded=1;
}
else
{
//error uploading
$_error=1;
}
}
else
{
$_check=$_check+1;
}
}
//file(s) did upload
if($_uploaded == '1')
{
$_uploaded=0;
echo "<tr><td class=redtext>Your photo has been updated.</td></tr>";
echo "<tr><td class=bodytext><a href=editphoto.php>Click Here To Refresh Screen To See New Photo</a></td></tr>";
echo "<tr><td class=bodytext><a href=profile.php>Return to My Account</a></td></tr>";
echo "<tr><td>&nbsp;</td></tr>";
mysql_query("update tbl_accounts set photo = '".$_file_name."' WHERE userID = '$passcode'");
}
//file uploaded?
if($_error == '1')
{
$_error=0;
echo "<div class=redtext>There was an error uploading some of the file(s), please try again! Maybe the file size is too large. Maximum file size is 1MB</div>";
}
//user selected a file?
if($_check == $_i)
{
$_check=0;
echo "<div class=redtext>Select a file first than click 'Upload File'</div>";
}
}
echo "</td></tr>";
?>
</table>

Edited 3 Years Ago by happygeek: fixed formatting

HI guys, I had a similar problem with exif data and needed a real quick fix. You can consider this, though there are many ways of killing shroedingers cat!
use the 'pathinfo()' function and extract the file extension, a simple routine selects if the file is within your limits (I'll come to validation in a minute). You could even use an array of values then, and keep this in an external file - if you need to add to or remove from your extensions list it simplifies things. If you need to check spoof images (text files loaded as images) check image width or height - only images exhibit these properties. Hope this helps.

This article has been dead for over six months. Start a new discussion instead.