Only allow .jpg and .png files only [duplicate]

Answer 1

You can try using pathinfo & exif_imagetype

if(pathinfo($Name,PATHINFO_EXTENSION) != "jpg" || exif_imagetype($Name) != IMAGETYPE_JPEG)
{
    // throw error 
}

See More Info to detect Fake Images

Answer 2

Of course, you can limit by file extension, but it's not safe. You can try rename a gif-file and upload it. A little bit safer is using mime-type to detect file type (but still no guarantee). Look at: How do I find the mime-type of a file with php?

I think more safer is trying to get size of image or if convert to another image type is successful.

Answer 3

$imageType = getimagesize($tmp_name); switch ($imageType['mime'] != "image/jpg" OR $imageType['mim'] != "image/png") { //error code here. }

It is a bit safer than checking the extension, as the extension can be changed easily. The mime type can be changed as well but requires more knowledge xD

Answer 4

$whitelist = array(".jpg",".png");
foreach ($whitelist as $item) {
  if(preg_match("/$item\$/i", $_FILES['uploadfile']['name'])) {
    $uploaddir='uploads/uploads_image/';
    // or code
  }
}

Answer 5

You can use exif_imagetype($tmp_name) to check the actual type of the file based on its header. This checks the type based on the contents of the file, so it is the most reliable (e.g. it will give you the right information even if somebody gives you a JPG with a ".png" extension).

There is also the type property ($_FILES['myfile']['type']), which will give you the MIME type that the browser claims the file is. However, this cannot be trusted if someone maliciously forges the request.

Answer 6

if($_FILES){
    $allowedExtensions = array("jpg","png");

    foreach($_FILES as $key=>$val){
        if(!empty($val['tmp_name'])){
            $ext = end(explode(".",strtolower(basename($val['name']))));
            if(in_array($ext,$allowedExtensions)){
                $file = 'PATH_TO_UPLOAD'.basename($val['name']);

                if(move_uploaded_file($val['tmp_name'],$file)){
                    //SUCCESS_MESSAGE
                }
            }else{
                //FAIL_MESSAGE
            }
        }
    }
}