0

I am trying to make upload avatar image for wordpress users in front end. I am using this code 

$files = $_FILES['post_files'];

foreach($files as $file){

  if(is_array($file)){

    $uploaded_file_type = $file['type'];
    $allowed_file_types = array('image/jpg', 'image/jpeg', 'image/png', 'image/gif');
    if(!in_array($uploaded_file_type, $allowed_file_types)) {
      $errors['image_empty'] = __( 'this image is not valid', 'themename' );
    } 

  }

}

it's not allowing to upload php file , but if they change the php file extension as png or jpeg they can upload the php file to my server. I try to use getimagesize() but I couldn't, I am newbie for php. Or is there any other solution?

thanks for answers

Improve this question
4
  • Why do you need to check this? If they upload a PHP file as an image, the worst that will happen is the image won't show - your server won't run the PHP in it (unless it is really badly configured :)). Commented May 22, 2016 at 21:11
  • I am using dreamhost and if I can upload the shell.php I can reach all the files and can edit Commented May 22, 2016 at 21:22
  • Not if it doesn't have a .php extension... Commented May 22, 2016 at 21:24
  • @Ayd In just remove the $allowed_file_types = array('image/jpg', 'image/jpeg', 'image/png', 'image/gif'); of the foreach. It is not needed to redeclare it every time. Commented Apr 9, 2024 at 16:33

2 Answers 2

Reset to default
1

If you use Wordpress image uplaoder(media uploader vs.) use this:

For disable any file format:

add_filter('upload_mimes','remove_mime_types');
function remove_mime_types($mimes){
  unset( $mimes['mp4'] );
}

For enable any file format:

add_filter('upload_mimes','add_custom_mime_types');
function add_custom_mime_types($mimes){
   return array_merge($mimes,array (
     'ac3' => 'audio/ac3',
     'mpa' => 'audio/MPA',
     'flv' => 'video/x-flv',
     'svg' => 'image/svg+xml'
   ));
}

for more information visit paulund's article: https://paulund.co.uk/change-wordpress-upload-mime-types

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try this:


$files = $_FILES['post_files'];

foreach ($files['tmp_name'] as $key => $tmp_name) {
    $uploaded_file_type = $files['type'][$key];
    $allowed_file_types = array('image/jpg', 'image/jpeg', 'image/png', 'image/gif');

    // Check if file type is allowed
    if (!in_array($uploaded_file_type, $allowed_file_types)) {
        $errors['image_empty'] = __('This image is not valid', 'themename');
        continue; 
    }

    // Check if the file is really an image using getimagesize()
    $image_info = getimagesize($tmp_name);
    if ($image_info === false) {
        $errors['image_empty'] = __('This file is not an image', 'themename');
        continue; 
    }

}
Improve this answer

1 Comment

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.