Cool! Nice tutorial. :)
IE is kinda funny with how it gives it's mime types. For example it sends image/pjpeg where firefox or other browsers would just use image/jpeg. You've already got it in your list, but there is another one that IE uses for PNG, so you might want to expand the allowed types to:
PHP Code:
$types = array("image/gif", "image/jpeg", "image/pjpeg", "image/png", "image/x-png");
But I would definitely not rely solely on the mime-type. The mime-type is sent from the browser, so it is client-side generated data and therefore can be faked. Though not through a standard browser, one could infact build their own program to post a file to a site with a different mime-type. Using this method they could send a PHP file with a mime type of "image/jpeg".
Though I wouldn't stop using this method as its definitely a good test, it should in fact be built upon using the other method you and Wildhoney suggested where the actual file extension is checked. If we do this, we can ensure that no file that is uploaded has a .php/.pl/etc extension and thus can't be executed.
To do this, we'd use a white list again that is a a list of allowed extensions:
PHP Code:
$AllowedExtensions = array("png", "gif", "jpg", "jpeg");
and then test using this:
PHP Code:
$FileInfo = pathinfo($_FILES["file"]["name"]);
if(in_array($FileInfo['extension'], $AllowedExtensions)){
// we can safely upload the file
} else {
// not an allowed file
}
Another reportedly good method if you're just uploading images, is to use the getimagesize() function. This function returns an array of the image sizes, or false if its not an image. So you could use it in this manner:
PHP Code:
if(($myImageSizes = getimagesize($_FILES["file"]["tmp_name"])) !== false){
// seems like a good image! Also now have access to the width in $myImageSizes[0] and the height in $myImageSizes[1]
} else {
// not a valid image!
}