so have have script uploading image server. allows jpg , png , renames file random 6 digit number.
<?php if (isset($_files['file'])) { $file = $_files['file']; $file_name = $file['name']; $file_tmp = $file['tmp_name']; $file_size = $file['size']; $file_error = $file['error']; $file_ext = explode('.', $file_name); $file_ext = strtolower(end($file_ext)); $allowed = array( 'jpg', 'png' ); if (in_array($file_ext, $allowed)) { if ($file_error === 0) { if ($file_size <= 10000000) { $file_name_new = mt_rand(100000, 999999) . '.' . $file_ext; $file_destination = 'files/' . $file_name_new; if (move_uploaded_file($file_tmp, $file_destination)) { echo "<a href='$file_destination'>$file_name_new</a>"; } } } } } ?> everything works great. allows files specified extension .jpg , .png.
where run problems able rename txt file such script.txt script.txt.jpg , server allow it, it's not image. offers vulnerability attack.
is there can add verify file being uploaded image? heard getimagesize i'm not sure. i'm pretty new php.
you need use mimetype of file know kind of file is. extension not relevant.
indeed, can use getimagesize this:
<?php ... $size = getimagesize($file_name)); switch ($size['mime']) { case "image/gif": echo "image gif"; break; case "image/jpeg": echo "image jpeg"; break; case "image/png": echo "image png"; break; case "image/bmp": echo "image bmp"; break; } ?> source: http://php.net/manual/en/function.image-type-to-mime-type.php
