if and else without elseif

Forum Moderators: coopster

Message Too Old, No Replies

if and else without elseif

ahmed24

12:51 pm on Jul 20, 2009 (gmt 0)

i am trying to detect if the value of $type equals jpg, gif, png or tif. if it is any of those then echo True else echo false.

I can do it like this but i dont want so many elseif statement. I was wondering if there is any way to specify all the types i'm looking for in string or something?

if ($type=="jpg") {
echo "True";
}
elseif ($type=="gif") {
echo "True";
}
elseif ($type=="png") {
echo "True";
}
elseif ($type=="tif") {
echo "True";
}
else {
echo "False";
}

mattclayb

12:59 pm on Jul 20, 2009 (gmt 0)

you could put it on one statement -

if ($type=="jpg" ¦¦ $type=="gif" ¦¦ $type=="png" ¦¦ $type=="tif") {
echo "True";
} else{
echo "False";
}

ahmed24

1:10 pm on Jul 20, 2009 (gmt 0)

thanks, that does the trick.

penders

2:30 pm on Jul 20, 2009 (gmt 0)

I was wondering if there is any way to specify all the types i'm looking for in string or something?

Yes, you could do exactly that...

$valid_types = 'jpg,gif,png,tif'; 
if (strpos($valid_types,$type) !== false)) { 
 echo 'True'; 
} else { 
 echo 'False'; 
}

Or an array...

$valid_types = array('jpg','gif','png','tif'); 
if (in_array($type,$valid_types)) { 
 echo 'True'; 
} else { 
 echo 'False'; 
}

migthegreek

4:32 pm on Jul 20, 2009 (gmt 0)

Just use a regular expression:

if (eregi("jpg¦gif¦png¦tif", $type)) {
// true
} else {
// false
}

rocknbil

4:38 pm on Jul 20, 2009 (gmt 0)

I can do it like this but i dont want so many elseif statement.

The case switch is a good candidate here,

switch ($filetype) {
case 'jpg':
// action
break;
case 'gif':
// action
break;
// etc ....
default:
echo false;
}

But actually you have a larger problem, hinted at by this:

I was wondering if there is any way to specify all the types i'm looking for in string or something?

Depending on the size of your script, the supported file types are now hard-coded and may be buried and hard to change.

You should probably try something like this:


// top of script or in some script config include: 
$supported_types = Array('jpg','gif','png','tif'); 
$supported=false; 
// rest of code, etc


foreach ($supported_types as $t) { 
 if ($t == $type) { $supported=true; } 
} 
return $supported;

A small bit of advice, if you're using anything from the file name - the file extension - to identify an image type, this will be unreliable (.jpeg is a valid jpg extension, for example, or Mac users will not have extensions at all) and present security issues - I could name my evil virus innocent-file.jpg and upload it to your system.

You should use the GD library or ImageMagick methods to identify type and use that to populate $type.

idfer

5:17 pm on Jul 20, 2009 (gmt 0)

I always use in_array for these situations (as per penders' post). It's self-documenting and as rocknbil mentioned, you can define the list elsewhere, in a config file or on top of your file for easy maintenance.

If you use strpos or regular expressions, be careful that you match whole words so you don't get false positives for e.g. .gi or .gifi.

onjefu

10:27 pm on Jul 22, 2009 (gmt 0)

Buddy, simplify your life buy using php's built in function when you can!

My vote is for in_array

andrewsmd

1:20 pm on Jul 24, 2009 (gmt 0)

rocknbil is correct, it's not even that much more work but use the GD library.

g1smd

2:37 pm on Jul 24, 2009 (gmt 0)

I would use the REGEX, but DO end-anchor the pattern otherwise 'alan.gifford.html' would match the '.gif' rule.

The regex I would use is

\.(jpe?g¦gif¦png¦tiff?¦....)$

lexipixel

6:59 am on Jul 27, 2009 (gmt 0)

Another note: don't count on the file extension as a definitive answer on what type of file it is.

I assume, (as dangerous as assumptions can be - - which is the point of this post), that you are trying to determine if a file someone uploads is an image file before processing the file.

A long time ago I had a script like this and did exactly what you are trying -- determining file type by file extension. The script allowed upload if extension was in the "ok" list --- and redisplayed the image to the user after upload.

Someone smarter than me figured out they could upload PHP code if they named it "myphoto.jpg" -- yes, "myphoto.jpg" was a .PHP script that gave them access to just about everything. Luckily they only defaced the home and not something more nefarious.

To be safe, you need to check the contents of the file based on the extension they specify and see that it is actually an image file.

idfer

8:05 pm on Jul 27, 2009 (gmt 0)

Someone smarter than me figured out they could upload PHP code if they named it "myphoto.jpg" -- yes, "myphoto.jpg" was a .PHP script that gave them access to just about everything.

Is that really possible? I thought the web server would translate the .jpg extension to an image/jpg mime type and return the file's contents as such, regardless of what's actually in it. At least that's what happens on my Apache server, the PHP code isn't executed.

lexipixel

2:36 pm on Jul 29, 2009 (gmt 0)

I don't remember the details now, (it was about 4-5 years ago and PHP was fairly new to me since I scripted in perl). The script may have been accepting any file and regardless of extension, e.g. you could upload a file named "myphoto" and it would attempt to display it back when confirming upload.

The warning is still the same -- read from the header within the file to determine what it is, don't rely solely on the file extension.

penders

4:43 pm on Jul 29, 2009 (gmt 0)

lexipixel: Someone smarter than me figured out they could upload PHP code if they named it "myphoto.jpg" -- yes, "myphoto.jpg" was a .PHP script that gave them access to just about everything.

Is that really possible? I thought the web server would translate the .jpg extension to an image/jpg mime type and return the file's contents as such, regardless of what's actually in it. At least that's what happens on my Apache server, the PHP code isn't executed.

Well, if the attack also involved adding a line to .htaccess that meant that every file was parsed for PHP (which recently happened to one of my sites - somehow!?) then that would indeed be a problem.

andrewsmd

5:39 pm on Jul 29, 2009 (gmt 0)

Penders could you elaborate on this attack a little more, I don't really understand what you are saying but it sounds like very good knowledge to have to be able to prevent the attack.

penders

10:40 am on Jul 30, 2009 (gmt 0)

Penders could you elaborate on this attack a little more...

If an attacker was able to modify your .htaccess file to include a line such as:

AddHandler application/x-httpd-php .jpg

... to send all .jpg files through the PHP handler then when this (fake) image file is 'displayed' (ie. requested - probably as soon as it's been uploaded) then the PHP would execute. Mind you this would probably stuff up any legitimate .jpg files that are in the scope of your .htaccess file as well - so you might see the effects of the attack pretty quickly, but by then it might be too late!

How could someone edit your .htaccess file? Any security holes in scripts on your site? Or maybe the security of your server has been breached - which may be out of your control? Unfortunately, I believe, this is a reasonably common attack as far as website attacks go.

As I say, a similar (although different) attack happened on an old site of mine a while back...
[webmasterworld.com...]
(that thread also links to other useful threads on security)

andrewsmd

1:41 pm on Jul 30, 2009 (gmt 0)

Thanks,