If that code came from w3 schools then their standards are really slipping.
These lines:
&& ($_FILES["file"]["size"] < 20000))
&& in_array($extension, $allowedExts))
Should be:
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
Note the position of the brackets.
You also need to use a editor such as Notepad++ which will show you line numbers but also allow you to see how brackets are paired up. See the coding styles link in my signature for more information on that.
//Please don't use this for your form processing:
if (isset($_POST['submit']))
//Internet explorer has a bug and does not always send the submit value.
You code is better than theirs but still has built in error modes. What if the file is .JPG or .JPEG, it would fail
PHP Code:
$ftype = $_FILES['file']['type']; // check $ftype in your inarray statement. $extension = basename($ftype);
If you have an application that reads the file header it may be able to get the actual file type as opposed to the mere alleged one, so you can detect scripts that are snuck in as .jpg, for instance. I use imagemagick identify for that.
while when you set a limit to explode() it will give you a part of the string
Regardless, this doesn't work If I take $extension out of in_array(), then what's the point of using it? Whether I use it or not, it just says Invalid File, though I'm uploading a .png
That's what that code will do, but it will just be lower case. Since I don't know exactly what becomes of the downloaded file I can't really tell you much more. You still have to change more code for it to work, but I've used what I suggest and it's bulletproof code. You can also save the original filename and give the file a working filename if it will be modified. then when it's downloaded it can take the original filename.
Last edited by DrDOS; 07-18-2012 at 01:48 AM..
Reason: add stuff
Let's just try to get this code to work, since I'm trying to learn why I am making a mistake, not cover one up by using a different method
From my understanding, end() makes sure a file uploaded can't be spam.jpgspam.exe and explode() is to split the string where before a "." appears? Not that great of a method for security I suppose, since if there were multiple "."'s it would blow up?
And so the script is checking whether it is a image/(supported), as well as checking if it ends with .(supported), which seems redundant.
But either way, I'm much more curious as why I get this error:
Strict Standards: Only variables should be passed by reference in C:\xampp\htdocs\php\upload.php on line 6
Wait? end(explode()) would be to find the last place .(supported) was used...
so it's to prevent spam.jpgspam.exe
It would find .exe and say that $extension is not in_array of $allowed
It doesn't work, because $allowed has image/(supported), while it's checking for (supported)
Wait? end(explode()) would be to find the last place .(supported) was used...
so it's to prevent spam.jpgspam.exe
It would find .exe and say that $extension is not in_array of $allowed
It doesn't work, because $allowed has image/(supported), while it's checking for (supported)
Am I correct?
I just checked out how 'end' works in php, and I know why you get an error with it. Simple. It modifies an array by removing all but the last element. So in your original post you need to use $extension[0] in the in_array test.
It doesn't actually remove it from an array.
End works by changing the pointer of the array to the last position, then issues a current to grab and return it. Because of the shift on the pointer, the array provided MUST be a variable, and not an argument that returns an array (such as a function).
Before you post, read our: 
Thank you for your help!
If I take $extension out of in_array(), then what's the point of using it? Whether I use it or not, it just says Invalid File, though I'm uploading a .png
