-1

Hello i want to ask something about my code,i want filter the uploaded file just image only,this code is work but when i upload a movie,it keeps uploading and didnt execute the condition that i made,anyone can fix it ? thanks

    <?php

    include "connect.php";

    $username = $_POST['username'];
    $fullname = $_POST['fullname'];
    $phone =$_POST['phone'];
    $email = $_POST['email'];
    $password = $_POST['password'];
    $encryptPassword = md5($password);
    $sex = $_POST['sex'];
    $pict = $_FILES['pict']['name'];

    $tmp = $_FILES['pict']['tmp_name'];
    $newpict = date('dmYHis').$pict;
    // Set path folder tempat menyimpan fotonya 
    $path = "../../CRUD/user/images/".$newpict;
    $foto_size = $_FILES["pict"]["size"];
    $info = getimagesize($tmp);

if ($info === FALSE) {?>
   <script language="javascript">alert("Sign Up Failed");</script>
    <script>document.location.href='daftar.php';</script><?php

}
if (($info[2] !== IMAGETYPE_GIF) && ($info[2] !== IMAGETYPE_JPEG) && ($info[2] !== IMAGETYPE_PNG) ) {?>
    <script language="javascript">alert("Sign Up Failed");</script>
    <script>document.location.href='daftar.php';</script>
    <?php
}
else{ 

if($foto_size < 1000000 && (strlen(trim($password))>=8)){
    if(move_uploaded_file($tmp, $path)){
        $sql_buat = "INSERT INTO user(id_user, username, fullname, email,phone, password, sex,user_picture) VALUE('','$username','$fullname','$email','$phone','$encryptPassword','$sex','$newpict')";

            if(isset($_POST['username'])&&($_POST['email']))
                {
                    $name=$_POST['username'];
                    $email=$_POST['email'];
                    $checkdata=" SELECT * FROM user WHERE email='$email' and username='$name' ";
                    $query=mysqli_query($conn,$checkdata);
                    if(mysqli_num_rows($query)>0)
                        {?>
                            <script language="javascript">alert("Username and Email Already Exist");</script>
                            <script>document.location.href='daftar.php';</script><?php
                        }
            }   
            if(isset($_POST['username']))
            {
                $name=$_POST['username'];
                $checkdata=" SELECT username FROM user WHERE username='$name' ";
                $query=mysqli_query($conn,$checkdata);
                if(mysqli_num_rows($query)>0)
                    {?>
                        <script language="javascript">alert("Username Already Exist");</script>
                        <script>document.location.href='daftar.php';</script><?php
                    }
            /*else
                {
                    echo "OK";
                }
            exit();
        }*/
            }

            if(isset($_POST['email']))
                {
                    $email=$_POST['email'];
                    $checkdata=" SELECT email FROM user WHERE email='$email' ";
                    $query=mysqli_query($conn,$checkdata);
                    if(mysqli_num_rows($query)>0)
                        {?>
                            <script language="javascript">alert("Email Already Exist");</script>
                            <script>document.location.href='daftar.php';</script><?php
                        }
                /*else
                    {
                        echo "OK";
                    }
                    exit();

*/
                }
            if (mysqli_query($conn, $sql_buat)){
?>
                <script language="javascript">alert("Sign up Successful");</script>
                <script>document.location.href='../login/login.php';</script>
            <?php
            }
            else{
    ?>
                <script language="javascript">alert("Sign up failed");</script>
                <script>document.location.href='daftar.php';</script>
            <?php
            }
            mysqli_close($conn);
            }
    else{
            echo "Sorry picture cant upload.";
            echo "<br><a href='inputitems.php'>Back to Form</a>";
        }
    }
else{?>
    <script language="javascript">alert("Sign up failed");</script>
    <script>document.location.href='daftar.php';</script><?php
  }
 }

            mysqli_close($conn);

?>
muhammad ilham ramadhan
  • 59
  • 8
  • You're checking if it's a image on PHP. PHP only can do it AFTER upload. Do some checks BEFORE send the form with javascript. – Sakura Kinomoto Jun 02 '17 at 23:45
  • You can check this question for advice: https://stackoverflow.com/questions/18299806/how-to-check-file-mime-type-with-javascript-before-upload – Sakura Kinomoto Jun 02 '17 at 23:46
  • 1
    md5 is inappropriate for hashing passwords. Instead use: http://php.net/password_hash – Mike Jun 02 '17 at 23:58
  • "*it keeps uploading*" - What does that mean exactly? – Mike Jun 03 '17 at 00:00
  • 1
    You should also be using prepared statements with bound parameters. Your script is vulnerable to SQL injection attacks. – Mike Jun 03 '17 at 00:05
  • Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Jun 03 '17 at 01:21

1 Answers1

0

On your HTML5 use

<input type="file" name="myImage" accept="image/x-png,image/gif,image/jpeg" />

and on your PHP use

     $ext_array = array("jpg", "gif", "png");
    $type = $_FILE['type'];
    $temp = explode(".", $_FILE["name"]);
    if(stristr($type, 'image') && in_array(end($temp), $ext_array)){
        move_uploaded_file($_FILE["tmp_name"], 'upload/' . 'newname.jpg')
    }

Thas the general idea.

Tanker
  • 983
  • 3
  • 13
  • 41