0

im making a social networking website and im trying to make it so that you could change your avatar, here is my code for the avatar changing process:

mysql_connect("website", "dbuser", "dbpass");
    mysql_select_db("dbtable");
    $upload_path = "./account/{$_SESSION["id"]}/";
    $pw = $_POST['password'];
    $email = $_POST['email'];
    $q = mysql_query("SELECT * FROM `users` WHERE `email`='$email' AND `password`='$pw' LIMIT 1");
    if(!$q) die(mysql_error());
    if(mysql_num_rows($q) == 0) die("Authorization failed.");
    $allowed =  array('png');
    $filename = $_FILES['newimage']['name'];
    if(!($_FILES['newimage']['type'] == 'image/png')) {
        die('The file is incorrect, only PNG files are allowed.');
    }
    $max_filesize = 10485760;
    if(filesize($_FILES['newimage']['tmp_name']) > $max_filesize)
        die('The file you attempted to upload is too large.');
    if(!is_writable($upload_path))
      die('You cannot upload to the specified directory, please CHMOD it to 777.');
    if(move_uploaded_file($_FILES['newimage']['tmp_name'],"./account/".$_SESSION['id']."/profile.png"))
        echo 'Successfully changed avatar.';
    else
        echo 'There was an error during the file upload.  Please try again.';

The problem here is that it always says "The file is incorrect, only PNG files are allowed." I don't see anything wrong with this code, how would i fix this?

Improve this question
3
  • Tried to print_r your $_FILES or at least $_FILES['newimage']['type']? Commented Jan 9, 2015 at 10:11
  • 1
    Please note that the mysql_ functions have been deprecated for years now and are insecure. Also note that your code is open to SQL injection. Try to put a correct email in your login form and a wrong password. Eg. [email protected]' -- (notice the ' --?). Suddenly you don't even have to know the password thanks to SQL injection and you can log in as anyone. If you don't know the email, don't worry: ' OR username = 'admin' -- Commented Jan 9, 2015 at 10:13
  • 1
    die('You cannot upload to the specified directory, please CHMOD it to 777.'); ... ouch! Please try to get some basics down about the LAMP stack and security before attempting anything as convoluted as a social networking site Commented Jan 9, 2015 at 10:14

2 Answers 2

Reset to default
0

Because of this:

if(!($_FILES['newimage']['type'] == 'image/png')) {
    die('The file is incorrect, only PNG files are allowed.');
}

You're saying: if the filetype is not .PNG, exit the current script and say that only png is allowed,
you could remove this, but that would allow any filetype to be uploaded,

but since you only want pictures, change the if statement to allow png,jpg,gif and whatever of image types you want to allow. (See @robin's answer for this)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

At the line:

if(!($_FILES['newimage']['type'] == 'image/png')) { die('The file is incorrect, only PNG files are allowed.'); }

You should change that if statement to:

$allowedImages = array('image/png'); if(!in_array($_FILES['newimage']['type'], $allowedImages)) { die('The file is incorrect, only PNG files are allowed.'); }

Now you can add image types by adding them to the array like so:

$allowedImages = array('image/png', 'image/jpg', 'image/gif');

Because the 3 lines you've added were to check if the file type is the same as image/PNG only.

Improve this answer

1 Comment

Thank you for waiting until I came back from my weekend vacation. /sarcasm What file are you trying to upload and try to echo $_FILES['newimage']['type'] and see what it returns, that type needs to be added to the array then.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.