File upload feature requires basic validations to sanitize the user input. There is a huge chance of exploiting a file upload option with malicious intent.
Improper implementation of a file upload input increases security vulnerability. We need to validate the uploaded files before saving them on the server to reduce the vulnerability.
I have created a HTML form and provided an option to upload files. When the form is submitted, the file binaries are sent to the PHP and validated in the server side.
I have checked if the uploaded file is an image and I have specified the allowed image extension, size and dimension based on which the validation is taking place. After all these validations have passed, the image file is saved in the target location as specified.
The following screenshots showing the success and failure cases while executing PHP image upload with validation example. Refer this earlier written article for PHP AJAX image upload.
The server-side image file validation takes place in the following aspects.
This form contains file input to allow the user to choose files to be uploaded. On submitting this form, the file data is sent to the PHP to upload it to the target after validation.
<h2>PHP Image Upload with Size Type Dimension Validation</h2>
<form id="frm-image-upload" action="index.php" name='img' method="post"
enctype="multipart/form-data">
<div class="form-row">
<div>Choose Image file:</div>
<div>
<input type="file" class="file-input" name="file-input">
</div>
</div>
<div class="button-row">
<input type="submit" id="btn-submit" name="upload"
value="Upload">
</div>
</form>
<?php if(!empty($response)) { ?>
<div class="response <?php echo $response["type"]; ?>
">
<?php echo $response["message"]; ?>
</div>
<?php }?>
In PHP, we validate the file type, size and dimension before uploading. The uploaded file data like name size, temporary target are in $_FILES[“image_file”] array. PHP move_uploaded_file function is used to upload the file by accessing file data stored in $_FILES superglobal.
I used PHP function getimagesize() to get the size information to validate the uploaded image in this regard. I specified the allowed image file extensions in an array and validate the uploaded file extension with this array.
You can change this array with other preferable image file extension as your wish. After successful validation, the PHP move_uploaded_file() function is used to save the file in the specified target.
<?php
if (isset($_POST["upload"])) {
// Get Image Dimension
$fileinfo = @getimagesize($_FILES["file-input"]["tmp_name"]);
$width = $fileinfo[0];
$height = $fileinfo[1];
$allowed_image_extension = array(
"png",
"jpg",
"jpeg"
);
// Get image file extension
$file_extension = pathinfo($_FILES["file-input"]["name"], PATHINFO_EXTENSION);
// Validate file input to check if is not empty
if (! file_exists($_FILES["file-input"]["tmp_name"])) {
$response = array(
"type" => "error",
"message" => "Choose image file to upload."
);
} // Validate file input to check if is with valid extension
else if (! in_array($file_extension, $allowed_image_extension)) {
$response = array(
"type" => "error",
"message" => "Upload valid images. Only PNG and JPEG are allowed."
);
} // Validate image file size
else if (($_FILES["file-input"]["size"] > 2000000)) {
$response = array(
"type" => "error",
"message" => "Image size exceeds 2MB"
);
} // Validate image file dimension
else if ($width > "300" || $height > "200") {
$response = array(
"type" => "error",
"message" => "Image dimension should be within 300X200"
);
} else {
$target = "image/" . basename($_FILES["file-input"]["name"]);
if (move_uploaded_file($_FILES["file-input"]["tmp_name"], $target)) {
$response = array(
"type" => "success",
"message" => "Image uploaded successfully."
);
} else {
$response = array(
"type" => "error",
"message" => "Problem in uploading image files."
);
}
}
}
?>
Thank you
Welcome David.
Hi Vincy
I am relatively new to php – thank you for this wonderful tutorial on image upload validation.
I get an error : Undefined Variable ‘result’ on line 29.
Perhaps I’m missing something but I don’t see $result used anywhere else in the code ?
Thank you
Hi Fred,
Thats my mistake. ‘result’ is not required. I left it after debugging. Now I have updated the code, thank you for your time.
Great article!
I followed this tutorial and was able to create my own forms. But i have some questions.
1. What is the meaning of that @getimagesize that you added to the code when the actual function is getimagesize()
2. My HTML code and php validation are all in one page called contact.php and bcs of this i left blank action=””
Since the form is been processed in the same page, now i want to know the security implications of leaving the action=”” blank and also is there any security risk in having both html form and php form in one page?
Thank you Chris.
1. @getimagesize – meaning for this is, if this function is not available (if the package is not enabled), this will suppress the error.
2. No security risk involved when you have HTML and PHP on same page.
Really Image validation code is very helpful.
thanks
Hi Hannan,
Thanks and welcome.
Hi Vincy,
wonderful explanation there!
As a beginner, what books do you recommend?
Hi David,
Head first PHP is a nice one to start with.
Thanks for the great code.
Welcome Smith.
Nice explanation
Thank you Rasheeda.
nice tutorial, it help me
Thank you Samsul.
Its Very Helpful…
Thank you Vignesh.
Very Nice , Thanks a lot.
Welcome Ashish.