Is there anything I can add to my upload script to check that an image being uploaded is actually an image? I can change any file, php, txt, html, etc to image.gif and upload it to my site. I don’t want users doing this.
My script:
[code=php]
<form name=”form1″ method=”post” action=”index2.php” enctype=”multipart/form-data”>
<input name=”go” type=”hidden” value=”<?=$go?>”>
<table border=”0″ width=”99%” cellspacing=”3″ cellpadding=”3″>
<tbody><tr>
<td width=”100%”>
<table height=”318″ cellspacing=”1″ width=”600″ border=”0″>
<tbody><tr>
<td width=”584″ colspan=”2″ height=”22″>
<?
if (isset($UploadImages)) {
for($i=1; $i<=10; $i++) {
if (!((strpos($_FILES[“FILE$i”][‘name’], ‘.gif’)>0) || (strpos($_FILES[“FILE$i”][‘name’], ‘.jpg’)>0))) continue;
$prefix = gensess(15).’-‘;
if (!move_uploaded_file(
$_FILES[“FILE$i”][‘tmp_name’], “../tmpimages/$prefix”. $_FILES[“FILE$i”][‘name’]))
{
// echo “<br>WARNING! No file has been uploaded! Here is some debugging info:n”;
// print_r($_FILES[‘Imagenew’][‘error’]); echo ‘<br><br>’;
}
else
{
$Imagename = addslashes($_FILES[“FILE$i”][‘name’]);
$Imagesize = addslashes($_FILES[“FILE$i”][‘size’]);
dbSQL(“INSERT INTO `images` (`Creation_Date`, `User`, `Folder`, `Image_Name`, `Image_Temp_Name`, `Image_Size`) VALUES “.
“(“.mtime().”, ‘$reguserid’, ‘$FolderID’, ‘$Imagename’, ‘$prefix$Imagename’, ‘$Imagesize’)”);
?>
<tr>
<td width=”83″ height=”23″>Image 1:</td>
<td width=”501″ height=”23″><input type=”file” size=”50″ name=”FILE1″></td>
</tr>
<tr>
<td width=”83″ height=”23″></td>
<td width=”501″ height=”23″><input name=”UploadImages” id=”Upload_form_mod1_Submit1″ type=”submit” value=”Upload”></td>
</tr>
</tbody></table>