PHP - Protecting Uploaded Cv's

Hi, I'm putting together a database that once logged in, a user is able to insert, update and delete records via html forms.

The login is secured using mysql_real_escape_string, but I'm wondering should I do the same for all form elements that pass data to the db? There are a wide range of inputs, from numeric, alphanumeric, dates and more.

I'd appreciate your feedback.

Regards,

James

I been wondering how to protect all the files that contain classes, functions and forms in php to prevent direct access to something that the user shouldnt be able to without the proper check's (typing http://server/inc/login.php insteand of http://server/), and i came to this small idea of checking if an object is set or not but i m wondering if this is really the best idea here's what i have (the case bellow will protect an login form to be accessed directly):

Code: [Select]
<?php
    if(!isset($mysqlobj)) die();
    if( isset( $_POST['username'] ) && isset( $_POST['password'] ) ){
        $login = authentication::login( $_POST['username'], $_POST['password'] );
        if( $login == true ){
            header( 'location:?go=home' );
        }else{
            $_SESSION['message'] = 'loginfailed';
            header( 'location:?go=login' );
        }
    }else{
      if( !empty($_SESSION['logged'] ) && $_SESSION['logged'] == true ){
          header( 'location:?go=home' );
      }else{
          ?>
            <div id="loginform">
                <form action="?go=login" method="post">
                    <table align="center">
                        <tr>
                            <td><font size="2">Username</font></td>
                            <td><input type="text" name="username" /></td>
                        </tr>
                        <tr>
                            <td><font size="2">Password</font></td>
                            <td><input type="password" name="password" /></td>
                        </tr>
                        <tr>
                            <td colspan="2" align="center"><input type="submit" value="Login" /></td>
                        </tr>
                    </table>
                </form>
                </div>               
          <?php
      }   
    }
?>

Just looking for an "best practice" i tried google for it but i couldnt get to an straight awnser any enlightment is appreciated.

I have had a customer want to run my application (PHP/APACHE/MYSQL) on their server rather than a commercial hosting offering (JUSTHOST/GODADDY)   I am reluctant, as it means giving them access to my PHP code which could possibly be copied or distributed.    Can I protect against this?    

Hi all,

I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at.  It's essentially an online community that was a uni project that has spiraled and grown exponetially.

I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine.  The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported.

I want my site to be as secure as it can be, within reason.

I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results.
I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields.

This si what I have and what I've changed.
if ($_POST['parse_var'] == "bio"){
   
    $bio_body = $_POST['bio_body'];
    //$bio_body = str_replace("'", "&#39;", $bio_body);  (WAS TESTING THIS BUT NO JOY)
    //$bio_body = str_replace("`", "&#39;", $bio_body);
         $bio_body = mysql_real_escape_string($bio_body);
         $bio_body = nl2br(htmlspecialchars($bio_body));

        $bio = $_POST['bio'];
   $bio = eregi_replace("'", "&#39;", $bio);           (This works but is not as secure)
   $bio = eregi_replace("`", "&#39;", $bio);
        $bio = mysql_real_escape_string($bio);
        $bio = nl2br(htmlspecialchars($_POST['bio']));

        $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'");
       and so on....}


When I change it to str_replace if I type in don't the whole word is deleted.  when I type in preg I get an error.
Can someone please give me the correct code / syntax for getting the result I want.

I just want to make sure that every single field that has a user input is protected against any malicious attacks.
Thanks.

At the moment I have been uploading files to my server using <input type='files'> and binary encrytion. I would like to have more controll over the files tmp_name. is there a way to assing it befor hand?

Hi. I have a script here that will let users upload an image to my website but I just can't figure out how to save the uploaded image as "upload/logo.png" so that it will replace the already existing "upload/logo.png".
Help would be greatly appreciated.

Code: [Select]
<html>
<body>

<form action="" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<br />
<input type="submit" name="submit" value="Submit" />
</form>

</body>
</html>


<?php
if(isset($_POST['submit']) && !empty($_FILES["file"]["name"])) {
$timestamp = time();
$target = "upload/"; 
$target = $target . basename($_FILES['uploaded']['name']) ; 
$ok=1;

$allowed_types = array("image/gif","image/jpeg","image/pjpeg","image/png","image/bmp");
$allowed_extensions = array("gif","png","jpg","bmp");

if ($_FILES['file']['size'] > 350000) {
$max_size =  round(350000 / 1024);
echo "Your file is too large. Maximum $max_size Kb is allowed. <br>"; 
$ok=0;
} 
 
if ($_FILES["file"]["error"] > 0) {
echo "Error: " . $_FILES["file"]["error"] . "<br />";
$ok=0;
} else {
  
$path_parts = pathinfo(strtolower($_FILES["file"]["name"]));
  
if(in_array($_FILES["file"]["type"],$allowed_types) && in_array($path_parts["extension"],$allowed_extensions)){
$filename = $timestamp."-".$_FILES["file"]["name"]; 
  echo "Name: " . $filename . "<br />";
  echo "Type: " . $_FILES["file"]["type"] . "<br />";
  $path_parts = pathinfo($_FILES["file"]["name"]);
  echo "Extension: " . $path_parts["extension"] . "<br />";
  echo "Size: " . round($_FILES["file"]["size"] / 1024) . " Kb<br />";
  //echo "Stored in: " . $_FILES["file"]["tmp_name"]. " <br />";
  } else {
  echo "Type " . $_FILES["file"]["type"] . "  with extension " . $path_parts["extension"] . " not allowed <br />";
  $ok=0;
  }
}
if($ok == 1){
@move_uploaded_file($_FILES["file"]["tmp_name"], $target . $filename);
$file_location = $target . $filename;
if(file_exists($file_location)){
echo "Uploaded to <a href='$file_location'>$filename</a> <br />";
} else {
echo "There was a problem saving the file. <br />";
}

}
} else {
echo "Select your file to upload.";
}

?>
Thanks!

Hi, I want to be able to let user upload XML form, and then in the action page it needs to extract that so that I can add it to the database.

Here is the upload form:
Code: [Select]
<html>
<head></head>
<body>
<form method='post' action="uploadFileToDB.php" enctype="multipart/form-data">
<p>
<label>
                    Upload image<input type='file' name='imageFileType' id='imageFileType' />
                </label>
            </p>

            <p>
                <input type='submit' value='Upload this image' name='upload' id='upload' />
            </p>
</form>
 </body>
</html>

Here is the uploadFileToDB.php:
Code: [Select]
<?php
require("PHP_xml_parsing_via_DOM.php");
//NB: this script does the actual shreddering (XML to SQL)

//IF User uploaded dir or XML file successful, then:
if(isset($_POST['upload'])) {
//SHRED NOW
//NB: how to retrieve the uploaded xml file
$_filePath=??
$node=basename($_filePath);
$dom=new DOMDocument();
$dom->load($node);
$labelPath=array();
mysql_connect("localhost","root");
mysql_select_db("dummydpev7");

$isXdocExist=mysql_query("SELECT file_Path,file_Name FROM xdocument WHERE file_Path='$_filePath' AND file_Name='$node'");
$docId=0;

if(mysql_num_rows($isXdocExist)==1) {
print "Entry already exists!";
$docId=mysql_next_id("xdocument")-1;
}
else {
mysql_query("INSERT INTO xdocument (file_Path,file_Name) VALUES ('$_filePath','$node')");
$docId=mysql_next_id("xdocument")-1;
}
print "<br />".$docId;

writeXMLtoDBViaDOM($dom->documentElement,$labelPath,$docId,$_filePath);
}
//ELSE
else
//Please upload Valid XML
print "Problem with XML file being uploaded.";

?>

The question in point is how do I extract the file I uploaded to set to $_filePath?? in the script so that I pass it to my function writeXMLtoDBviaDOM??

Please any help much appreciated!

Hi everyone, im a newbie and have written this script, has taken me a day to get here.
The form inserts data into the database, uploads a file and sends an email.
All this works fine, what i am trying to do is rename the file to the id of the record and check to make sure it is a pdf.
I would really appreciate any help. I've tried and tried and just cant get it to work.

<?php
switch ($_REQUEST['action']) {
case 'recruit':
foreach($_POST as $key=>$value){
$$key = $value;
}
if ((!$name) || (!$email) || (!$phone)) {
$error_msg = 'Fields marked<span class="gold"> * </span>are required to submit the form';
}elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) { 
    $error_msg = 'Invalid email address'; 
}
echo "$error_msg","<br><br>";
if ($error_msg == ''){

$date=date("d/m/y", time());
$add="recruitment/".$_FILES[userfile][name];
$cleaned = stripit($add);
    $add2 = $cleaned;

   if(move_uploaded_file ($_FILES[userfile][tmp_name], $add2));
    $Q = mysql_query("INSERT INTO recruitment (`name`,`phone`,`email`, `qual`,`exper`,`file`) VALUES ('$name','$phone','$email','$qual','$exper','$cleaned')");
  
foreach($_POST as $key=>$value){
$$key = htmlentities(stripslashes($value));
}
$companyname = 'Mead Business college';
$companyemail = 'ross@emediastudios.com.au';
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
$headers .= "From: ".$name." <".$email.">\r\n";
$headers .= "Reply-To: ".$name." <".$email.">\r\n";
$to = "".$companyname."<".$companyemail.">";
$subject = "Mead Business College Recruitment Form Submission";
$message = '<style type="text/css>";


<!--
.style {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px;
}
-->
</style>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td class="style">
<b>Details:</b><br /><br />
<b>Name:</b> '.$name.'<br />
<b>Email:</b> '.$email.'<br />
<b>Mobile No:</b> '.$phone.'<br />
<b>Qualifications:</b><br> '.$qual.'<br />
<b>Experience:</b><br /><br />'.$exper.'<br /><br />
<b>Uploaded resume:</b> http://www.mydomain.com.au/'.$cleaned.'
    </td>
   </tr>
</table>';
mail($to, $subject, $message, $headers);

echo '<table width="99%" border="0" cellpadding="0" cellspacing="0">

   <tr>

    <td class="mybody">Hi '.$name.',<p />Thank you for your enquiry. An MBC Consultant will contact you shortly.<br />
      <br />
      </td>
   </tr>
</table>';

}else{

foreach($_POST as $key=>$value){

$$key = htmlentities(stripslashes($value));

}
echo '
<FORM ENCTYPE="multipart/form-data" id="form" name="Contact Form" method="post" action="'.$_SERVER['PHP_SELF'].'?action=recruit">
  <table width="489" border="0" cellspacing="5" cellpadding="0" class="formsw">
    <tr>
      <td width="227">Name:</td>
      <td width="358"><input type="text" name="name" id="name" value="'.$name.'" /></td>
    </tr>
    <tr>
      <td>Contact Mobile:</td>
      <td><input type="text" name="phone" id="phone" value="'.$phone.'" /></td>
    </tr>
    <tr>
      <td>Email:</td>
      <td><input type="text" name="email" id="email" value="'.$email.'" /></td>
    </tr>
    <tr>
      <td>Relevent Qualifications:</td>
      <td><textarea name="qual" id="qual" cols="45" rows="5" value="'.$qual.'"></textarea></td>
    </tr>
    <tr>
      <td>Recent Experience:</td>
      <td><textarea name="exper" id="exper" cols="45" rows="5" value="'.$exper.'"></textarea></td>
    </tr>
    <tr>
      <td>Upload Resume:</td>
      <td><input type="file" name="userfile" id="userfile" /></td>
    </tr>
    <tr>
      <td><input type="submit" name="submit" id="submit" value="Submit" /></td>
      <td>&nbsp;</td>
    </tr>
  </table>
</form>';

}

break;
}
?>

My photo files are not being displayed in my table?

They get sent to the mySQL database, then the server and it does grab all the other variables in the table and displays them, but the .jpg's are not shown, instead theres just the file name??

Code: [Select]
<?php 
 error_reporting(E_ALL);
 ini_set("display_errors", 1);
 echo '<pre>' . print_r($_FILES, true) . '</pre>';

 
 //This is the directory where images will be saved 
 $target = "/home/users/web/b109/ipg.removalspacecom/images/COMPANIES"; 
 $target = $target . basename( $_FILES['upload']['name']); 
 
 //This gets all the other information from the form 
 $company_name=$_POST['company_name']; 
 $basicpackage_description=$_POST['basicpackage_description']; 
 $location=$_POST['location']; 
 $postcode=$_POST['postcode'];
 $upload=($_FILES['upload']['name']); 
 
 // Connects to your Database 
 mysql_connect("server****", "username***", "password****") or die(mysql_error()) ; 
 mysql_select_db("DB") or die(mysql_error()) ; 
 
 //Writes the information to the database 
 mysql_query("INSERT INTO `Companies` (company_name, basicpackage_description, location, postcode,  upload) VALUES ('$company_name', '$basicpackage_description', '$location', '$postcode',  '$upload')") ; 
 echo mysql_error();
 
 //Writes the photo to the server 
 if(move_uploaded_file($_FILES['upload']['tmp_name'], $target)) 
 { 
 
 //Tells you if its all ok 
 echo "The file ". basename( $_FILES['upload']['name']). " has been uploaded, and your information has been added to the directory"; 
 } 
 else { 
 
 //Gives and error if its not 
 echo "Sorry, there was a problem uploading your file."; 
 } 
 ?>

"upload" is the variable that isnt displaying in my table how i want it to? Have you guys any ideas how to get it displayed correctly?

What's the maximum file size I can upload through a regular form ? If it's server dependant, how do I find out my max ?

I tried to handle a 550MB file (on localhost) - I only wanted to show the filename, but it hung up for about 10secs, then returned nothing.

Hi everyone!! 

I have looked into how the upload script works and this is what i have:

Code: [Select]
<?php
 if ((($_FILES["file"]["type"] == "image/gif")
 || ($_FILES["file"]["type"] == "image/jpeg")
 || ($_FILES["file"]["type"] == "image/pjpeg"))
 && ($_FILES["file"]["size"] < 20000))
   {
   if ($_FILES["file"]["error"] > 0)
     {
     echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
     }
   else
     {
     echo "Upload: " . $_FILES["file"]["name"] . "<br />";
     echo "Type: " . $_FILES["file"]["type"] . "<br />";
     echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
     echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
 
    if (file_exists("upload/" . $_FILES["file"]["name"]))
       {
       echo $_FILES["file"]["name"] . " already exists. ";
       }
     else
       {
       move_uploaded_file($_FILES["file"]["tmp_name"],
       "upload/" . $_FILES["file"]["name"]);
       echo "Stored in: " . "upload/" . $_FILES["file"]["name"];
       }
     }
   }
 else
   {
   echo "Invalid file";
   }
 ?>

Which is un-tested at the moment, but let's just say for talking sake it worked 100% what elements of this script would i be looking at to display the files uploaded on to another page, in my case my homepage?

ive found as to yet, that the uploads have to be stored on a file somewhere on my server, which i've set up. But i thought it would be just as easy to have a field in my table named upload and display it within the table next to the other results? instead i just get whatever the file name is named.jpg.

Any help in looking towards the answer? many thanks in advance guys!

Hi everyone,

I am after a scrpit/function that will get information of an uploaded image, resize it, then display the manipulated image.

in my "upload" script, there will be a size limit and a file extension/type limit to:  600 x 200px / jpg, gif, jpeg... this is to keep the script i'm after more simple. As using vector images i'm told is such a complicated problem for me at this time.

So...

to get the size info/dimensions its like this:


Code: [Select]
<?php

list($width, $height, $type, $attr) = getimagesize("image_name.jpg");

echo "Image width " .$width;
echo "<BR>";
echo "Image height " .$height;
echo "<BR>";
echo "Image type " .$type;
echo "<BR>";
echo "Attribute " .$attr;

?>

and..... resize something like this:

Code: [Select]
function get_image_sizes($sourceImageFilePath,
  $maxResizeWidth, $maxResizeHeight) {

  // Get width and height of original image
  $size = getimagesize($sourceImageFilePath);
  if($size === FALSE) return FALSE; // Error
  $origWidth = $size[0];
  $origHeight = $size[1];

  // Change dimensions to fit maximum width and height
  $resizedWidth = $origWidth;
  $resizedHeight = $origHeight;
  if($resizedWidth > $maxResizeWidth) {
    $aspectRatio = $maxResizeWidth / $resizedWidth;
    $resizedWidth = round($aspectRatio * $resizedWidth);
    $resizedHeight = round($aspectRatio * $resizedHeight);
  }
  if($resizedHeight > $maxResizeHeight) {
    $aspectRatio = $maxResizeHeight / $resizedHeight;
    $resizedWidth = round($aspectRatio * $resizedWidth);
    $resizedHeight = round($aspectRatio * $resizedHeight);
  }
 
  // Return an array with the original and resized dimensions
  return array($origWidth, $origHeight, $resizedWidth,
    $resizedHeight);
}

// Get dimensions
$sizes = get_image_sizes($sourceImageFilePath, $maxResizeWidth,
  $maxResizeHeight);
$origWidth = $sizes[0];
$origHeight = $sizes[1];
$resizedWidth = $sizes[2];
$resizedHeight = $sizes[3];

// Create the resized image
$imageOutput = imagecreatetruecolor($resizedWidth,
    $resizedHeight);
if($imageOutput === FALSE) return FALSE; // Error condition

// Load the source image
$imageSource = imagecreatefromjpeg($sourceImageFilePath);
if($imageSource === FALSE) return FALSE; // Error condition

$result = imagecopyresampled($imageOutput, $imageSource,
    0, 0, 0, 0, $resizedWidth, $resizedHeight, $origWidth,
    $origHeight);
if($result === FALSE) return false; // Error condition

// Write out the JPEG file with the highest quality value
$result = imagejpeg($imageOutput, $outputPath, 100);
if($result === FALSE) return false; // Error condition




And.... display is this:

Code: [Select]
<?php 
$database="***"; 
mysql_connect ("***", "***", "***"); 
@mysql_select_db($database) or die( "Unable to select database"); 
$result = mysql_query( "SELECT company_name, location, postcode, basicpackage_description, premiumuser_description, upload FROM Companies" ) 
or die("SELECT Error: ".mysql_error()); 
$num_rows = mysql_num_rows($result); 
print "\n\n\nThere are $num_rows records.<P>"; 
echo "<table><tr><th>Comppany Name</th><th>Location</th><th>Postcode</th><th>Basic Members</th><th>Upgraded Users</th><th>Company Logo</th></tr><tr><td></td><td></td><td></td><td></td><td></td><td></td></tr>";// store the records into $row array and loop through 
while ( $row = mysql_fetch_array( 
$result, MYSQL_ASSOC ) ) {
// Print out the contents of the entry  
echo "<tr><td>{$row['company_name']}</td>";
echo "<td>{$row['location']}</td>"; 
echo "<td>{$row['postcode']}</td>"; 
echo "<td>{$row['basicpackage_description']}</td>"; 
echo "<td>{$row['premiumuser_description']}</td>"; 

echo "<td><img src=\"http://www.removalspace.com/images/COMPANIES{$row['upload']}\" alt=\"logo\" /></td></tr>";} 
echo "</table>";
?>



How will all these fit together in one script?  any help i'd love it! many thanks in advance

anyone can show example how i could remane the uploaded file name with users id along with some number?

Code: [Select]
//////////////////////////////////////uploader
else if($action=="uploader")
{



echo "Upload your picture and copy the link <br/>after uploading to user it at gallery.<br/><br/>";

echo "<form method=\"post\" enctype=\"multipart/form-data\" action=\"index.php?action=uploaded&amp;sid=$sid\">";
echo "Choose Pictu <br />";
echo "<input name=\"uploaded\" type=\"file\" /><br /><br />";
echo "<input type=\"submit\" value=\"Upload\" />";
echo "</form><br/>";


echo "<p align=\"center\">";
echo "<a href=\"index.php?action=main&amp;sid=$sid\">Home</a>";
echo "</p>";
}


//////////////////////////////////////uploader
else if($action=="uploaded")
{



$blacklist = array(".php", ".php.jpg", ".php.jpeg", ".php.gif", ".php.png", ".phtml", ".php3", ".php4");
foreach ($blacklist as $item) {
if(preg_match("/$item\$/i", $_FILES['uploaded']['name'])) {
echo "<p align=\"center\">";
echo "Oops sorry we do not allow those files.<br/>";
echo "<a href=\"index.php?action=main&amp;sid=$sid\">Home</a>";
echo "</p>";
exit;
}
}

$target = "../images/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;

if (file_exists("../images/" . $_FILES["uploaded"]["name"]))
      {
echo "<p align=\"center\">";
      echo $_FILES["file"]["name"] . "Oops file name already exists<br/> kindly rename your picture and upload again. <br/>";

echo "<a href=\"index.php?action=main&amp;sid=$sid\">Home</a>";
echo "</p>";   
 }else{

//This is our size condition
if ($uploaded_size > 25600){

echo "Your file is too large. We have a 25kb limit.<br/>";
$ok=0;
}

$types = array('image/jpeg', 'image/gif', 'image/png');

if (in_array($_FILES['uploaded']['type'], $types)) {
// file is okay continue
} else {
$ok=0;
}


//Here we check that $ok was not set to 0 by an error
if ($ok==0){
echo "<p align=\"center\">";
Echo "Sorry your file was not uploaded.<br/> It may be the wrong filetype. <br/>We only allow JPG, GIF, and PNG filetypes.<br/>";

echo "<a href=\"index.php?action=main&amp;sid=$sid\">Home</a>";
echo "</p>";
}

//If everything is ok we try to upload it
else{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)){
echo "<p align=\"center\">";

echo "The file ". basename( $_FILES['uploadedfile']['name']). " Picture uploaded successfully.<br/><br/><b>$target <br/>";

echo "<a href=\"index.php?action=main&amp;sid=$sid\">Home</a>";
echo "</p>";
}
else{
echo "<p align=\"center\">";

echo "Sorry, there was a problem uploading your file.<br/>";
echo "<br/><a href=\"http://index.php?action=main&amp;sid=$sid\">Wml Home</a><br />";
echo "<a href=\"index.php?action=main&amp;sid=$sid\">Home</a>";
echo "</p>";
}
}
}
}
[code]

Hi

I need to change the name of a file being uploaded by a user. The reason i need this is because there is a strong possibility that duplicate filenames would be logged.

This is the code i have currently:

Code: [Select]
   $upload_path = 'cv/'; // The place the files will be uploaded to (currently a 'files' directory).

   $filename = $_FILES['userfile']['name']; // Get the name of the file (including file extension).
   $ext = substr($filename, strpos($filename,'.'), strlen($filename)-1); // Get the extension from the filename.

   // Check if we can upload to the specified path, if not DIE and inform the user.
   if(!is_writable($upload_path))
  die('You cannot upload to the specified directory, please CHMOD it to 777.');

   // Upload the file to your specified path.
   if(move_uploaded_file($_FILES['userfile']['tmp_name'],$upload_path . $filename));

This code works fine to upload the file in the current name.

I assume i need to seperate the filename from the file extension, and i can then assign a new variable to the filename. Easier said than done though as Ive tried many combinations of things.

Is there a simple way using this script? or will i need to start from scratch?

Cheers

Hi All,

I'm trying to validate file types and keep seeing an error.  I only allow .gif, .jpg or .png.  However, if I upload any of those file types, I get an error message....  If I echo out $filetypeCheck, I get image/png, which is corrent...

Code: [Select]
$filetypeCheck = $_FILES["file"]["type"];

if( ($filetypeCheck != "image/gif") || ($filetypeCheck != "image/jpeg") || ($filetypeCheck != "image/png") )
{
$val_error[] = 'File Type Error! (.gif, .jpg and .png only)';
}

Whats going on here?