PHP: Check (validate) if the Uploaded File is an Image
Posted on September 24, 2008, Filled under PHP, 
Bookmark it
In this tutorial I will show you how to create an image validator script. You can choose between 2 methods of validation: one that will verify if the file is actually an image, by checking the file’s mime-type, and the other one which checks the extension of the uploaded file.
Let’s start creating the configuration file:
config.php
<?php
/*
1 = Check if the file uploaded is actually an image no matter what extension it has
2 = The uploaded files must have a specific image extension
*/
$validation_type = 1;
if($validation_type == 1)
{
$mime = array('image/gif' => 'gif',
'image/jpeg' => 'jpeg',
'image/png' => 'png',
'application/x-shockwave-flash' => 'swf',
'image/psd' => 'psd',
'image/bmp' => 'bmp',
'image/tiff' => 'tiff',
'image/tiff' => 'tiff',
'image/jp2' => 'jp2',
'image/iff' => 'iff',
'image/vnd.wap.wbmp' => 'bmp',
'image/xbm' => 'xbm',
'image/vnd.microsoft.icon' => 'ico');
}
else if($validation_type == 2) // Second choice? Set the extensions
{
$image_extensions_allowed = array('jpg', 'jpeg', 'png', 'gif','bmp');
}
$upload_image_to_folder = 'images/';
?>Now let’s create the form that will help us to upload the file:
<form enctype="multipart/form-data" action="validate_image_upload.php" method="POST"> <!-- MAX_FILE_SIZE must be set before the input element --> <input type="hidden" name="MAX_FILE_SIZE" value="2048000" /> <!-- The name from the $_FILES array is determined by the input name --> Select an Image: <input name="image_file" type="file" /> <input type="submit" value="Upload" /> </form>
Our form will send the data to validate_image_upload.php. Here, the script will check the type of validation. If the file is validated the user will see a successful submission message and the file will be moved in the specified image folder. The uploaded file failed to pass the validation process? In this case, it will be deleted and the script will output an error message.
<?php
// Do not show notice errors
error_reporting (E_ALL ^ E_NOTICE);
if(!empty($_FILES)) // [START FILE UPLOADED]
{
include 'config.php';
$file = $_FILES['image_file'];
$file_name = $file['name'];
$error = ''; // Empty
// Get File Extension (if any)
$ext = strtolower(substr(strrchr($file_name, "."), 1));
Validation #1 – Check if the uploaded file is an image. This is done using the getimagesize() function:
array getimagesize ( string $filename [, array &$imageinfo] )
This function returns an array with specific information regarding the file. To return specific information such as width, height, mime type, channels, the file that is verified should be a valid image. If $file_info is empty, then the uploaded file is not an image.
We will detect the image’s mime type and we will use this information to add the correct extension to the file.
// Check for a correct extension. The image file hasn't an extension? Add one
if($validation_type == 1)
{
$file_info = getimagesize($_FILES['image_file']['tmp_name']);
if(empty($file_info)) // No Image?
{
$error .= "The uploaded file doesn't seem to be an image.";
}
else // An Image?
{
$file_mime = $file_info['mime'];
if($ext == 'jpc' || $ext == 'jpx' || $ext == 'jb2')
{
$extension = $ext;
}
else
{
$extension = ($mime[$file_mime] == 'jpeg') ? 'jpg' : $mime[$file_mime];
}
if(!$extension)
{
$extension = '';
$file_name = str_replace('.', '', $file_name);
}
}
}
Validation #2 – Check the extension of the uploaded file
We’ll use in_array() to determine if the filename’s extension can be found in our list with extensions from config.php. If the extension is not on the list, an error message would be generated notifying the user that the uploaded file’s extension is not an accepted one.
else if($validation_type == 2)
{
if(!in_array($ext, $image_extensions_allowed))
{
$exts = implode(', ',$image_extensions_allowed);
$error .= "You must upload a file with one of the following extensions: ".$exts;
}
$extension = $ext;
}
If no errors were found, copy the file to the specified folder ($upload_image_to_folder) and show a successful submission message to the user.
if($error == "") // No errors were found?
{
$new_file_name = strtolower($file_name);
$new_file_name = str_replace(' ', '-', $new_file_name);
$new_file_name = substr($new_file_name, 0, -strlen($ext));
$new_file_name .= $extension;
// File Name
$move_file = move_uploaded_file($file['tmp_name'], $upload_image_to_folder.$new_file_name);
if($move_file)
{
$done = 'The image has been uploaded.';
}
}
else
{
@unlink($file['tmp_name']);
}
$file_uploaded = true;
} // [END FILE UPLOADED]
?>Check the complete validate_image_upload.php file which has the HTML Form and the Validator:
validate_image_upload.php
<?php
// Do not show notice errors
error_reporting (E_ALL ^ E_NOTICE);
if(!empty($_FILES)) // [START FILE UPLOADED]
{
include 'config.php';
$file = $_FILES['image_file'];
$file_name = $file['name'];
$error = ''; // Empty
// Get File Extension (if any)
$ext = strtolower(substr(strrchr($file_name, "."), 1));
// Check for a correct extension. The image file hasn't an extension? Add one
if($validation_type == 1)
{
$file_info = getimagesize($_FILES['image_file']['tmp_name']);
if(empty($file_info)) // No Image?
{
$error .= "The uploaded file doesn't seem to be an image.";
}
else // An Image?
{
$file_mime = $file_info['mime'];
if($ext == 'jpc' || $ext == 'jpx' || $ext == 'jb2')
{
$extension = $ext;
}
else
{
$extension = ($mime[$file_mime] == 'jpeg') ? 'jpg' : $mime[$file_mime];
}
if(!$extension)
{
$extension = '';
$file_name = str_replace('.', '', $file_name);
}
}
}
else if($validation_type == 2)
{
if(!in_array($ext, $image_extensions_allowed))
{
$exts = implode(', ',$image_extensions_allowed);
$error .= "You must upload a file with one of the following extensions: ".$exts;
}
$extension = $ext;
}
if($error == "") // No errors were found?
{
$new_file_name = strtolower($file_name);
$new_file_name = str_replace(' ', '-', $new_file_name);
$new_file_name = substr($new_file_name, 0, -strlen($ext));
$new_file_name .= $extension;
// File Name
$move_file = move_uploaded_file($file['tmp_name'], $upload_image_to_folder.$new_file_name);
if($move_file)
{
$done = 'The image has been uploaded.';
}
}
else
{
@unlink($file['tmp_name']);
}
$file_uploaded = true;
} // [END FILE UPLOADED]
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Validate Image on Upload @ BitRepository.com</title>
<meta name="Author" content="BitRepository.com">
<meta name="Keywords" content="validate, image, upload, post, files">
<meta name="Description" content="How to check if an uploaded file is an image">
</head>
<body>
<center>
<?php
if($file_uploaded)
{
if($done)
{
echo '<font color="green">'.$done.'</font>';
}
else if($error)
{
echo '<font color="red">'.$error.'</font>';
}
echo '<br /><br />';
}
?>
<form enctype="multipart/form-data" action="validate_image_upload.php" method="POST">
<!-- MAX_FILE_SIZE must be set before the input element -->
<input type="hidden" name="MAX_FILE_SIZE" value="2048000" />
<!-- The name from the $_FILES array is determined by the input name -->
Select an Image: <input name="image_file" type="file" /> <input type="submit" value="Upload" />
</form>
</center>
</body>
</html>NOTE Please make sure the config.php file is located in the same folder with validate_image_upload.php, and the folder where the image file will be moved is writable.
Do you wish to receive the latest updates as soon as they are posted? Get our RSS Feed or Subscribe to the Newsletter!
- September 24, 2008
- article by Gabriel C.
- 12 comments
Related Posts
Validating an image uploadat September 8, 2008 with 3 comments
Validate (input) usernameat August 29, 2008 with 2 comments
- PHP: How to validate e-mail addresses using regular expressions
at May 21, 2008 with 2 comments
- Validate (input) password
at August 30, 2008 with 2 comments
- Validate numeric string
at May 21, 2008
Catch404: Modal Plugin for Handling Broken Links: jQuery | CSSby Gabriel C. on July 31, 2010
Discover How to Make a Website: 50 Mistakes You Should Avoidby Gabriel C. on July 13, 2010
Simple Lightboxing | The Programmer's Lightbox Tool | Lightbox_meby Gabriel C. on June 4, 2010
Grab a copy of Six Figure Affiliate Blogging: Free eBookby Gabriel C. on May 18, 2010
- High resolution zoom with image tiles: http://www.ajax-zoom.com
on August 26th, 2010 by SF
- Hi,I have implement this. When successfully logged in then not redirect to private.php... It just
on August 25th, 2010 by rashidul
- Hi, here in italian we have problem with "è, ì, à, ò" when my customer
on August 25th, 2010 by arcibald
- Hey, I wanted to know how to make this into SMTP method, cuz my server filters
on August 25th, 2010 by Anks
Categories
- AJAX (18)
- Design (9)
- Flash (19)
- Freebies (5)
- General (3)
- Graphics (13)
- HTML & CSS (28)
- Frameworks (7)
- JavaScript (122)
- Frameworks (4)
- jQuery (58)
- MooTools (13)
- Photoshop (2)
- PHP (102)
- Reviews (4)
- Statistics (2)
- Web Tools (6)
- Wordpress (14)
Poll
Loading ...Tag Cloud
- ajax login
- alphabetical
- array
- auto grow
- base
- calculate
- captcha
- chart
- charts
- countdown
- css framework
- delimiters
- documents
- dropdown
- extension
- extract
- filename
- fonts
- form
- gd library
- icon set
- iphone
- lightbox
- mod_rewrite
- percent
- Photo Gallery
- picker
- random
- remove
- script.aculo.us
- search
- shopping cart
- skin form elements
- slider
- syntax highlighter
- tableless
- to-do
- validate
- web analytics
- web fetch
- WYSIWYG
- zoom
12 Replies to "PHP: Check (validate) if the Uploaded File is an Image"
October 3, 2008 at 11:36 AM
what u can help for this ,i`m upload crocus.gif today at 19:32 i that file have comand inside
en demo page no have problemas why?
October 3, 2008 at 11:39 AM
I don’t understand you 100%. Are you having problems uploading an image or that image isn’t recognized?
October 15, 2008 at 6:04 AM
how to validate the file name will occur in this code:
function validate()
{
if(isset(“./upload/”.$HTTP_POST_FILES['file']['name'] == $HTTP_POST_FILES['file']['tmp_name']))
{
alert(“the file has been already placed”);
}
else
{
alert(“the file has been upload successfully”);
}
}
October 15, 2008 at 6:21 AM
This isn’t the right way to do it! Also, you should use $_FILES instead of $HTTP_POST_FILES (that is for earlier PHP Versions lower than 4.1.0).
December 16, 2008 at 11:25 AM
Why just check the file extension, when someone could upload something else, with the extension changed.
Divide the image width or height, as you cannot divide by zero.
December 26, 2008 at 5:05 AM
Then just use the first validation type. I've added the extension checker just in case someone is interested in it, because I've seen many scripts that use it. Anyway, why someone would bother to upload something else with the extension changed? The file has an image extension and if, for instance, is a PHP file, it cannot be executed and the webmaster will notice that this is not an image because it won't load. However, to avoid such things, I recommend using the first validator that checks if the file is an image, without taking into consideration the extension.
January 1, 2009 at 8:54 PM
Thanks, this helped alot!
February 5, 2009 at 4:34 AM
thank u much….
is very helpful to me..
February 8, 2009 at 3:42 PM
Thanks! It is helpful.
February 17, 2009 at 11:02 PM
The reason why most utilities do an extension check rather than a mime type check is because mime-types are set by the browser uploading the file, not the server itself. Thus, a would-be hacker can upload a php file, declaring it to be the mime type of image/jpeg.
Although, looking at your code, you do deal with this problem fairly successfully, stripping off the old file extension and replacing it with the declared file extension. That is an interesting way to untaint.
But otherwise, you cannot trust that the mime-type and the file extension agree.
August 20, 2009 at 11:02 PM
In php image upload validation you cannot always depend on the mime type being correct. Good idea about dividing width and height attributes though.
February 4, 2010 at 7:58 AM
okay this look really good. But I do not know what to do with it other than to put it in my folder. How can I make this work with a php page that I have. For instance I would like the uploader to be on a page that people can upload picture and for the picture to go to my database name “recipe” from the table “recipes” under the “picture” column.
Do I need to change any of your code to do this?