Problem with uploading multiple files PHP

On my site I have a page where users can upload files to go with the news post they're adding. I allow them to upload one image and one sound file. They don't have to add files if they don't want to, or they can just add one if they want. Problem I'm having is that my script only works if the user selects both files. If they choose none, or only one, then the script spits out 'Invalid File' as it can't find a file where one hasn't been selected.

I tried using:

if (isset($_FILES['filetoupload1'])) { 
    if (($_FILES["filetoupload1"]["type"] == "image/gif")
        || ($_FILES["filetoupload1"]["type"] == "image/jpeg")
        || ($_FILES["filetoupload1"]["type"] == "image/pjpeg")
        || ($_FILES["filetoupload1"]["type"] == "image/png")
        || ($_FILES["filetoupload1"]["type"] == "image/jpg")
    ) {
        if ($_FILES["filetoupload1"]["error"] > 0) {
            echo "Return Code: " . $_FILES["filetoupload1"]["error"] . "<br />";
        } else {
        if (file_exists("media/" . $_FILES["filetoupload1"]["name"])) {
                echo $_FILES["filetoupload1"]["name"] . " already exists. ";
            }
            move_uploaded_file(
                $_FILES["filetoupload1"]["tmp_name"],
                "media/" . $_FILES["filetoupload1"]["name"]
            );
        }
    } else {
        echo "Invalid file";
    }
}


if (isset($_FILES['filetoupload2'])) { 
    if ($_FILES["filetoupload2"]["type"] == "audio/mp3") {
        if ($_FILES["filetoupload2"]["error"] > 0) {
            echo "Return Code: " . $_FILES["filetoupload2"]["error"] . "<br />";
        } else {
        if (file_exists("media/" . $_FILES["filetoupload2"]["name"])) {
                echo $_FILES["filetoupload2"]["name"] . " already exists. ";
            }
            move_uploaded_file(
                $_FILES["filetoupload2"]["tmp_name"],
                "media/" . $_FILES["filetoupload2"]["name"]
            );
        }
    } else {
        echo "Invalid file";
    }
}

and then

if((isset($_FILES['filetoupload1'])) && (isset($_FILES['filetoupload2']))) { }

before both first and second upload scripts if the user had selected both image and audio file. In other words it did this:

if filetoupload1 isset then run upload script that filters images.
if filetoupload2 isset then run upload script that filters audio.
if filetoupload1 AND filetoupload2 isset then run both upload scripts.

I have it set like that. The above should allow for all combinations of file uploads. right? but it doesnt work so..

Now I have no idea what to do. Here's the uplo开发者_如何转开发ad script for the audio, the image one is pretty much the same:

Can someone tell me what I'm doing wrong please!

---

"I get the error: Invalid file"

This is correct, since your code just does this. Do not check if the file is set but if i.e. $_FILES["filetoupload1"]["type"] is not empty.

---

Your script makes your server vulnerable to a malicious user being able stomp on any file the webserver has access to:

$_FILES[...]['name'] - user supplied
$_FILES[...]['type'] - user supplied

You're trusting that the client has supplied the proper MIME type for the file, but nothing stops someone from forging a request and uploading "virus.exe" and setting the mime type to 'image/jpeg'. As well, since the remote filename is under user control, it can be subverted with malicious data. Consider:

$_FILES['picture']['type'] = 'image/gif'
$_FILES['picture']['name'] = 'remote_server_control.php'

Completely legitimate according to your script, because the mime type is "right", and yet you've now put a user-supplied PHP script on your server and with that they can take total control of your site and/or server.

Never EVER trust the data in the $_FILES array. Always determine MIME types via server-side utilities. If the script is only supposed to handle images, then use getimagesize(). As well, never use user-supplied filenames. Use something determined server-side to give the file a name, like a databasde auto_increment ID number. Even though your code doesn't allow for overwriting existing files, it's trivial to just come up with a new name and boom... new version of the remote takeover script.

---

I suggest to you to add a hidden text, this hidden will check witch upload fields are active, you make this check with javascript:

<html lang="en">
<head>
<meta charset="utf-8">
<style>

 </style>

<script type="text/javascript">
function uploadForm()
{
var size = 0;
var x = document.forms["myForm"]["upload1"].value.length;
var y = document.forms["myForm"]["upload2"].value.length;
if (x > 0)
  {
  size = 3;
  }
if (y > 0)
 {
  size += 2;
 }
 return size;
}
</script>

</head>
<body>


<form name="myForm" action="" method="GET" onsubmit="chose.value = uploadForm()">
<input type="file" name="upload1"><br>
<input type="file" name="upload2"><br>
<input type="hidden" name="chose" value=""><br>
<input type="submit" value="Submit">
</form>


</body>
</html>

Now, when you receive the form, you have to check the value of chose filed, if its 2, that is mean the image field is not empty, 3 audio filed is not empty, 5 both not empty:

<?php
switch($_GET["chose"])
 {
case 2:
//
 break;
case 3;
//
break;
case 5:
//
break;
default:
// here the user doesn't use any field

}
?>