1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
<?php
session_start();
$id = $_COOKIE['id']; // -> id vaut '1'
$diapid = $_SESSION['diapid']; // -> vaut '122'
$path= "../../../../diap/photos/$id/$diapid/";
// Code for Session Cookie workaround
if (isset($_POST["PHPSESSID"])) {
session_id($_POST["PHPSESSID"]);
} else if (isset($_GET["PHPSESSID"])) {
session_id($_GET["PHPSESSID"]);
}
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
$POST_MAX_SIZE = ini_get('post_max_size');
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
header("HTTP/1.1 500 Internal Server Error");
echo "POST exceeded maximum allowed size.";
exit(0);
}
// Settings
$save_path = "$path"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
$max_file_size_in_bytes = 2147483647; // 2GB in bytes
$extension_whitelist = array("jpg", "JPG", "JPEG", "gif", "png"); // Allowed file extensions
$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
// Other variables
$MAX_FILENAME_LENGTH = 260;
$file_name = "";
$file_extension = "";
$uploadErrors = array(
0=>"There is no error, the file uploaded with success",
1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini",
2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form",
3=>"The uploaded file was only partially uploaded",
4=>"No file was uploaded",
6=>"Missing a temporary folder"
);
// Validate the upload
if (!isset($_FILES['Filedata'])) {
HandleError("No upload found in \$_FILES for " . 'Filedata');
exit(0);
} else if (isset($_FILES['Filedata']["error"]) && $_FILES['Filedata']["error"] != 0) {
HandleError($uploadErrors[$_FILES['Filedata']["error"]]);
exit(0);
} else if (!isset($_FILES['Filedata']["tmp_name"]) || !@is_uploaded_file($_FILES['Filedata']["tmp_name"])) {
HandleError("Upload failed is_uploaded_file test.");
exit(0);
} else if (!isset($_FILES['Filedata']['name'])) {
HandleError("File has no name.");
exit(0);
}
// Validate the file size (Warning the largest files supported by this code is 2GB)
$file_size = @filesize($_FILES['Filedata']["tmp_name"]);
if (!$file_size || $file_size > $max_file_size_in_bytes) {
HandleError("File exceeds the maximum allowed size");
exit(0);
}
// Validate file name (for our purposes we'll just remove invalid characters)
$file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', "", basename($_FILES['Filedata']['name']));
if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) {
HandleError("Invalid file name");
exit(0);
}
// Validate that we won't over-write an existing file
if (file_exists($save_path . $file_name)) {
HandleError("File with this name already exists");
exit(0);
}
// Validate file extention
$path_info = pathinfo($_FILES['Filedata']['name']);
$file_extension = $path_info["extension"];
$is_valid_extension = false;
foreach ($extension_whitelist as $extension) {
if ($file_extension == $extension) {
$is_valid_extension = true;
break;
}
}
if (!$is_valid_extension) {
HandleError("Invalid file extension");
exit(0);
}
// Validate file contents (extension and mime-type can't be trusted)
/*
Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable.
See the comments on this page: http://us2.php.net/fileinfo
Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a
which describes how a PHP script can be embedded within a GIF image file.
Therefore, no sample code will be provided here. Research the issue, decide how much security is
needed, and implement a solution that meets the needs.
*/
// Process the file
/*
At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks
could be done such as creating an entry in a database or generating a thumbnail.
Depending on your server OS and needs you may need to set the Security Permissions on the file after it has
been saved.
*/
if (!@move_uploaded_file($_FILES['Filedata']["tmp_name"], $save_path.$file_name)) {
HandleError("File could not be saved: ". $save_path.$file_name);
exit(0);
}
// Return output to the browser (only supported by SWFUpload for Flash Player 9)
echo "File Received ". $save_path.$file_name;
exit(0);
/* Handles the error output. This function was written for SWFUpload for Flash Player 8 which
cannot return data to the server, so it just returns a 500 error. For Flash Player 9 you will
want to change this to return the server data you want to indicate an error and then use SWFUpload's
uploadSuccess to check the server_data for your error indicator. */
function HandleError($message) {
header("HTTP/1.1 500 Internal Server Error");
echo $message;
}
?> |
[Upload] Variable dans le chemin pas prise en compte
Répondre avec citation
Partager