06-08-2010, 07:47 PM
|
#9 (permalink)
|
|
The Contributor
Join Date: Jan 2009
Posts: 48
Thanks: 5
|
Seems to be working a lot better now. I also figured out how to stop files that aren't real images by checking the file's true mime type. Tested it by trying to upload an exe renamed as an image extension.
Please let me know if you spot anything else out of whack.
Thanks!
PHP Code:
<?php
define ("MAX_SIZE", "102400");
function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}
$errors = 0;
if(isset($_POST['Submit']))
{
$image = $_FILES['image']['name'];
if ($image) {
//DEFINE IMAGE INFO
$filename = stripslashes($_FILES['image']['name']);
$extension = getExtension($filename);
$extension = strtolower($extension);
$size = filesize($_FILES['image']['tmp_name']);
list($width, $height, $type, $attr) = getimagesize($_FILES['image']['tmp_name']);
//END DEFINE IMAGE INFO
//Check if the image is a valid MIME type, regardless of file extension
if (!in_array($type, array('1', '2', '3', '9'))) {
echo '<div align="center"><h5 style="color: #FF0000; font-family: arial;">Sorry, only "jpg", "png", and "gif" avatars are allowed</h3></div>';
$errors = 1;
} else {
// Check if the image is larger than 100px by 100px
if (($width > 100) || ($height > 100)){
echo '<div align="center"><h5 style="color: #FF0000; font-family: arial;">Please upload images 100px by 100px or smaller.</h3></div>';
$errors = 1;
}
//Check if The file is larger than 100kb
if ($size > MAX_SIZE) {
echo '<div align="center"><h5 style="color: #FF0000; font-family: arial;">You have exceeded the size limit!</h3></div>';
$errors = 1;
}
if ($errors) {
echo '
<body bgcolor="#575757">
<center>
<h5 style="color: #FFFFFF; font-family: arial;">Upload Your Avatar!</h5></center>
<br />
<div align="center">
<form name="newad" method="post" enctype="multipart/form-data" action="">
<input type="file" name="image">
<input name="Submit" type="submit" value="Upload image">
</form>
</div>
</center>
</body>
';
exit;
}
// DEFINE NEW FILE NAME USING TIMESTAMP
$image_name=time().'.'.$extension;
//DEFINE NEW IMAGE LOCATION
$newname = "uploads/".$image_name;
// Copy the image to the new folder
$copied = copy($_FILES['image']['tmp_name'], $newname);
// If the copy failed, say so
if (!$copied) {
echo '<div align="center"><h5 style="color: #FF0000; font-family: arial;">Copy unsuccessfull!</h5></div>';
$errors=1;
}
}}}
//If there no errors, print the success message
if(isset($_POST['Submit']) && !$errors)
{
echo '<body bgcolor="#575757">';
echo '<div align="center"><h5 style="color: #00CC00; font-family: arial;">File Uploaded Successfully!<br /><a style="color: #FFFFFF" href="javascript:void();" onClick="parent.location.reload();parent.Shadowbox.close()">Save and Close</a></h3></div>';
echo '</body>';
exit;
}
echo '
<body bgcolor="#575757">
<center>
<h5 style="color: #FFFFFF; font-family: arial;">Upload Your Avatar!</h5></center>
<br />
<div align="center">
<form name="newad" method="post" enctype="multipart/form-data" action="">
<input type="file" name="image">
<input name="Submit" type="submit" value="Upload image">
</form>
</div>
</center>
</body>
';
?>
|
|
|
|