I have a PHP website where registered users can upload an avatar. One of the restrictions is that people can only upload either a .jpg or .jpeg file with only alphanumeric characters, anything else is rejected. This is to make sure I only get uploads like "avatar.jpg", and not "evilcode.php" or "secretcode.php.jpg". I'm also planning other checks, but right now I can't get this first step to work.
I am using this regex expression:
[a-zA-Z0-9]{1,150}+\.+(jpe?g)
This is the code I'm currently using. The function is called from another php file, with $_FILES['avatar'] as a parameter.
public function updateAvatar($avatar)
{
$regex = '^[a-zA-Z0-9]{1,100}+\.+(jpe?g)$';
$name = $avatar['name'];
$result = preg_match_all($regex, $name);
if($result === 1)
{
return true;
} else
{
return false;
}
}
This always returns false, when uploading either "avatar.jpg", "code.php", or "duck.gif". According to the PHP manual, this code should be correct. The method returns either an integer or a boolean, and warns that you should use ===, not == to compare the result. Does anyone know what I did wrong?