140 lines
No EOL
5.2 KiB
PHP
140 lines
No EOL
5.2 KiB
PHP
<?php
|
|
|
|
/**
|
|
* @Author : Arslan Hassan
|
|
* License : SWFUpload <http://swfupload.org/>
|
|
* This file is used to upload file using SWFUpload
|
|
* you dont need to edit this file, edit it at yout own risk :)
|
|
*/
|
|
include('../includes/config.inc.php');
|
|
|
|
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
|
|
$POST_MAX_SIZE = ini_get('post_max_size');
|
|
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
|
|
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
|
|
|
|
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
|
|
header("HTTP/1.1 500 Internal Server Error"); // This will trigger an uploadError event in SWFUpload
|
|
echo "POST exceeded maximum allowed size.";
|
|
exit(0);
|
|
}
|
|
|
|
// Settings
|
|
$save_path = TEMP_DIR.'/'; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
|
|
$upload_name = "Filedata";
|
|
$max_file_size_in_bytes = 2147483647; // 2GB in bytes
|
|
|
|
$types = strtolower($row['allowed_types']);
|
|
$types_array = preg_replace('/,/',' ',$types);
|
|
$types_array = explode(' ',$types_array);
|
|
|
|
$extension_whitelist = $types_array; // Allowed file extensions
|
|
$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
|
|
|
|
// Other variables
|
|
$MAX_FILENAME_LENGTH = 260;
|
|
$file_name = "";
|
|
$file_extension = "";
|
|
$uploadErrors = array(
|
|
0=>"There is no error, the file uploaded with success",
|
|
1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini",
|
|
2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form",
|
|
3=>"The uploaded file was only partially uploaded",
|
|
4=>"No file was uploaded",
|
|
6=>"Missing a temporary folder"
|
|
);
|
|
|
|
|
|
// Validate the upload
|
|
if (!isset($_FILES[$upload_name])) {
|
|
HandleError("No upload found in \$_FILES for " . $upload_name);
|
|
exit(0);
|
|
} else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) {
|
|
HandleError($uploadErrors[$_FILES[$upload_name]["error"]]);
|
|
exit(0);
|
|
} else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) {
|
|
HandleError("Upload failed is_uploaded_file test.");
|
|
exit(0);
|
|
} else if (!isset($_FILES[$upload_name]['name'])) {
|
|
HandleError("File has no name.");
|
|
exit(0);
|
|
}
|
|
|
|
// Validate the file size (Warning: the largest files supported by this code is 2GB)
|
|
$file_size = @filesize($_FILES[$upload_name]["tmp_name"]);
|
|
if (!$file_size || $file_size > $max_file_size_in_bytes) {
|
|
HandleError("File exceeds the maximum allowed size");
|
|
exit(0);
|
|
}
|
|
|
|
if ($file_size <= 0) {
|
|
HandleError("File size outside allowed lower bound");
|
|
exit(0);
|
|
}
|
|
|
|
|
|
// Validate file name (for our purposes we'll just remove invalid characters)
|
|
$file_name = $_POST['file_name'].'.'.strtolower(getExt($_FILES[$upload_name]['name']));
|
|
if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) {
|
|
HandleError("Invalid file name");
|
|
exit(0);
|
|
}
|
|
|
|
|
|
// Validate that we won't over-write an existing file
|
|
if (file_exists($save_path . $file_name)) {
|
|
exit();
|
|
}
|
|
|
|
// Validate file extension
|
|
$path_info = pathinfo($_FILES[$upload_name]['name']);
|
|
$file_extension = $path_info["extension"];
|
|
$is_valid_extension = false;
|
|
foreach ($extension_whitelist as $extension) {
|
|
if (strcasecmp($file_extension, $extension) == 0) {
|
|
$is_valid_extension = true;
|
|
break;
|
|
}
|
|
}
|
|
if (!$is_valid_extension) {
|
|
HandleError("Invalid file extension");
|
|
exit(0);
|
|
}
|
|
|
|
// Validate file contents (extension and mime-type can't be trusted)
|
|
/*
|
|
Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable.
|
|
See the comments on this page: http://us2.php.net/fileinfo
|
|
|
|
Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a
|
|
which describes how a PHP script can be embedded within a GIF image file.
|
|
|
|
Therefore, no sample code will be provided here. Research the issue, decide how much security is
|
|
needed, and implement a solution that meets the needs.
|
|
*/
|
|
|
|
|
|
// Process the file
|
|
/*
|
|
At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks
|
|
could be done such as creating an entry in a database or generating a thumbnail.
|
|
|
|
Depending on your server OS and needs you may need to set the Security Permissions on the file after it has
|
|
been saved.
|
|
*/
|
|
if (!@move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$file_name)) {
|
|
HandleError("File could not be saved.");
|
|
exit(0);
|
|
}else{
|
|
$Upload->add_conversion_queue($file_name);
|
|
exec(php_path()." -q ".BASEDIR."/actions/video_convert.php &> /dev/null &");
|
|
}
|
|
|
|
exit(0);
|
|
|
|
/* Handles the error output. This error message will be sent to the uploadSuccess event handler. The event handler
|
|
will have to check for any error messages and react as needed. */
|
|
function HandleError($message) {
|
|
echo $message;
|
|
}
|
|
?>
|