图片上的PHP验证

Question

I am having problems with the image upload part of my code, the image uploads fine, but the validation is not working properly.

My full code can be seen here: http://phpfiddle.org/main/code/a0iw-ce7p

I can also upload an image without entering the rest of the information, all information, including upload of the image should be filled before uploading.

The PHP fiddle would not allow this part of the code in at the end:

 else {
//upload the file

if (move_uploaded_file($_FILES["file_upload"]["tmp_name"], $target_file)) {
    echo "The file ". basename( $_FILES["file_upload"]["name"]). " has been uploaded.";     

//escapes special characters in a string for use in an SQL statement(escape variables for security)
$year = mysqli_real_escape_string($con, $_POST['year']);
$description = mysqli_real_escape_string($con, $_POST['description']);
$image = mysqli_real_escape_string($con, $_POST['file_upload']);
$decade = mysqli_real_escape_string($con, $_POST['dateID']);

//insert data into database and check whether the connection and query exist and are error free
$sql = mysqli_query($con, "INSERT into details (year, description, image, dateID) VALUES ('$year', '$description', '$target_file', '$decade')") or die(mysqli_error($sql));

//redirect user to a confirmation page
header("location: admin.php");
//close the connection when done    
mysqli_close($con);
  }
      else {
    $uploadErr = "*there was an error uploading your file";     
  }     
}
}

Here is the image validation:

// specifies the directory where the file is going to be placed
$target_dir = "img/";
$uploadOk = 0;
$year = $description = $dateID = "";
$yearErr = $descriptionErr = $decadeErr = $uploadErr = "";

//when user clicks upload

if ( !empty($_POST) ) {
    // specifies the path of the file to be uploaded
   if(!empty($_FILES["file_upload"])){
          $target_file = $target_dir . basename($_FILES["file_upload"]["name"]);

          // holds the file extension of the file
          $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
          // gets the image size
          $check = getimagesize($_FILES["file_upload"]["tmp_name"]);
     }


 //if the year is left empty then show error, if not then test_input
  if (empty($_POST["year"])) {
    $yearErr = "*enter a year";
  } else {
    $year = test_input($_POST["year"]);
  }

//if the year is left empty then show error, if not then test_input
  if (empty($_POST["year"])) {
    $yearErr = "*enter a year";
  } else {
    $year = test_input($_POST["year"]);
  }

//if the description is left empty then show error 
  if (empty($_POST["description"])) {
    $descriptionErr = "*enter a description";
  } else {
    $description = test_input($_POST["description"]);
  }

// If the date has not been selected in the drop down, and the select is left at "Please Select" value = 0
     if(isset($_POST['dateID']) && $_POST['dateID'] == '0'){
        $decadeErr = "*select a decade";    
    }

 else {
    $dateID = test_input($_POST["dateID"]);
  }



// checks the pathname and image size of the file

if($check !== false) {
        //file is an image
        $uploadOk = 1;
    }

 // if not, echo to the screen that it is not an image
    else {
        $uploadErr = "*file is not an image";
    }

// Checks if file already exists

if(file_exists($target_file)) {
    $uploadErr = "*file already exists";
}

// If file type is not jpg, png, jpeg or gif then display message
$pattern = '/(jpg|png|jpeg|gif)/';
if(!preg_match($pattern,$imageFileType)) {
 $uploadErr = "*upload an appropriate image";
}

// Check if $uploadOk is set to 0
if ($uploadOk == 0) {
    $uploadErr = "*your file was not uploaded";
}


    else {
        $uploadErr = "*there was an error uploading your file";     
    }       
}

Answer 1

Your logic is wrong.

Non-Image Files

You do your check for whether it's an image via getimagesize and assign that value to $check . Then you do this:

if($check !== false) {
    //file is an image
    $uploadOk = 1;
}
// if not, echo to the screen that it is not an image
else {
    $uploadErr = "*file is not an image";
}

So, if it is not an image, now you have $check === false and $uploadErr === "*file is not an image" . $uploadOk is still 0 .

But then you have this block:

// Checks if file already exists

if(file_exists($target_file)) {
    $uploadErr = "*file already exists";
}

// If file type is not jpg, png, jpeg or gif then display message
$pattern = '/(jpg|png|jpeg|gif)/';
if(!preg_match($pattern,$imageFileType)) {
    $uploadErr = "*upload an appropriate image";
}

// Check if $uploadOk is set to 0
if ($uploadOk == 0) {
    $uploadErr = "*your file was not uploaded";
}


else {
      $uploadErr = "*there was an error uploading your file";     
}

Because $uploadOk is still 0 , the last if statement results in $uploadErr === "*your file was not uploaded" .

Duplicate Files

You do a check for whether the files exists and you set $uploadErr appropriately. But from what you have posted, it looks like you go ahead and try to move the uploaded file even if $uploadErr is non-empty. (It's a little hard to tell what you're doing because you posted your code in two distinct pieces.)