Simple Image Uploader

TerrorRonin · 03-26-2008, 03:13 PM

I still see an abundance of image uploaded sites popping up.. so I got bored, and had a domain lying around, so I built a very simple application that people can use if they'd like.

A live (permanent) demo of the script is located at Free Image Hosting!

You can upload images there if you'd like, or you build your own, by using the source code shown below!

PHP Code:


			
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>

    <title>Free Image Hosting!</title>

    <style type="text/css">

        body {

            margin: 0;

            padding: 50px 0 0;

            font-family: "Lucida Sans Unicode", Verdana, Arial, Sans-Serif;

            font-size: 11px;

        }

        

        a {

            color: #000000;

        }

        

        h1 {

            margin: 0;

            padding: 0;

        }

        

        h2 {

            margin: 10px 0;

            padding: 0:

            font-size: 12px;

        }

        

        #wrapper {

            background-color: #f0f0f0;

            border: 2px solid #d9d9d9;

            border-left: none;

            border-right: none;

            margin: 10px 0;

            padding: 10px;

            line-height: 25px;

            font-size: 12px;

        }

    </style>

</head>

<body><center>



    <?php

    

    $dir = dirname(__FILE__) . '/uploads/';

    

    if (is_dir($dir))

    {

        if ($dh = opendir($dir))

        {

            $filecount = '0';

            

            while (($file = readdir($dh)) !== false)

            {

                if(!($file == '.' || $file == '..'))

                {

                    ++$filecount;

                }

            }

            closedir($dh);

            

            echo "\n";

        }

    }

    else

    {

        echo "You must create a /upload/ directory before this script will work.\n";

    }

    

    ?>

    <h1>Free Image Hosting!</h1>

    <div id="wrapper">

        <form method="post" enctype="multipart/form-data" action="<?php echo $_SERVER['PHP_SELF']; ?>">

            Upload Image <input type="file" name="userfile" />

            <input type="submit" name="submit" value="Upload" />

        </form>

        <strong>Allowed Extensions:</strong> gif, jpg, bmp, png<br />

    </div>

    Currently Hosting <strong><?php echo $filecount; ?></strong> images!<br />

    

    <?php

    

        if(isset($_POST['submit']))

        {

            if(is_uploaded_file($_FILES['userfile']['tmp_name']))

            {

                if (($_FILES['userfile']['type']=="image/gif") || ($_FILES['userfile']['type']=="image/bmp") || ($_FILES['userfile']['type']=="image/pjpeg") || ($_FILES['userfile']['type']=="image/jpeg") || ($_FILES['userfile']['type']=="image/png") ) 

                {

                    # // -- Upload Process Starts

                        

                    $file = '/uploads/' . date('mdyhis') . '-' . basename($_FILES['userfile']['name']);

                        

                    if (@move_uploaded_file($_FILES['userfile']['tmp_name'], "./" . $file))

                    {

                        $url = 'http://' . $_SERVER['HTTP_HOST'] . $file;

                        

                        echo "<h2>File URL: <a href=\"{$url}\">{$url}</a></h2>\n";

                    }

                    else

                    {

                        echo "<h2>Unable to upload file to webserver, please verify that this directory exists</h2>\n";

                    }

                        

                    # // -- Upload Process Ends

                }

                else

                {

                    echo "<h2>Unacceptable File Type.  Please upload only as specified.</h2>\n";

                }

            }

        }

        else

        {

            echo "<h2></h2>\n";

        }

    

    ?>



</center>

</body>

</html>

If any of you have security fixes, or would like to add to this script, please do. I'll add any fixes that you like, etc.. maybe it can become a cool little script in the end :) I know it's not all that advanced right now, but this was just for fun :P

martins256 · 03-26-2008, 04:25 PM

$_FILES['userfile']['type'] is sent by the user thats uploads the file. you should check the file type with getimagesize()

TerrorRonin · 03-26-2008, 05:12 PM

Just add any fixes you have :D Sort of like an Open Source project :P

sjaq · 03-26-2008, 07:06 PM

You should also check the extention, because someone could upload a valid image with some random php code at the end and your script will save it as .php so it will run. Don't have the time to fix this now but maybe later...

TerrorRonin · 03-26-2008, 07:34 PM

Yeah, i'd like to see you guys add to the code rather than just giving recommendations.. I want to see how you all would do it yourselves, so I can get hints in my future programming.

Dezent · 06-16-2008, 05:01 PM

Did anyone have the extention so you cant upload random php code ?

ETbyrne · 06-16-2008, 07:40 PM

Use $filename = $_FILES['fieldname']['name']; to find the uploading file's name. Then just use
$filetype = explode('.', $filename);
$filetype = end($filetype);
to find the file exstention.

Also, please don't bump old topics.

EyeDentify · 06-18-2008, 11:39 AM

@TerrorRonin.

I get the lazy vibe from this post.

Why don´t you take the recommendations and change the code yourself?

Salathe · 06-18-2008, 01:22 PM

(Emphasis aded by Salathe)

Quote:

Originally Posted by TerrorRonin

A live (permanent) demo of the script is located at Free Image Hosting!

It's probably a good job that your permanent demo isn't up there any more because it's a trivial matter to upload and execute arbitrary files (including but not limited to PHP files).