Exif in uploadscript
Ik had een vraagje over het onderstaande uploadscript voor een fotoalbum.
Ik wil in de database ook nog de datum waarop de foto is gemaakt toevoegen. Dit betekent dat ik de exif data eruit moet halen. Ik weet totaal niet waar ik die moet plaatsen?
Thanks
Ruud
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
<?php
include("settings.php");
$username = $_GET['username'];
$albumid = $_POST['albumid'];
/*
This is an upload script for SWFUpload that attempts to properly handle uploaded files
in a secure way.
Notes:
SWFUpload doesn't send a MIME-TYPE. In my opinion this is ok since MIME-TYPE is no better than
file extension and is probably worse because it can vary from OS to OS and browser to browser (for the same file).
The best thing to do is content sniff the file but this can be resource intensive, is difficult, and can still be fooled or inaccurate.
Accepting uploads can never be 100% secure.
You can't guarantee that SWFUpload is really the source of the upload. A malicious user
will probably be uploading from a tool that sends invalid or false metadata about the file.
The script should properly handle this.
The script should not over-write existing files.
The script should strip away invalid characters from the file name or reject the file.
The script should not allow files to be saved that could then be executed on the webserver (such as .php files).
To keep things simple we will use an extension whitelist for allowed file extensions. Which files should be allowed
depends on your server configuration. The extension white-list is _not_ tied your SWFUpload file_types setting
For better security uploaded files should be stored outside the webserver's document root. Downloaded files
should be accessed via a download script that proxies from the file system to the webserver. This prevents
users from executing malicious uploaded files. It also gives the developer control over the outgoing mime-type,
access restrictions, etc. This, however, is outside the scope of this script.
SWFUpload sends each file as a separate POST rather than several files in a single post. This is a better
method in my opinions since it better handles file size limits, e.g., if post_max_size is 100 MB and I post two 60 MB files then
the post would fail (2x60MB = 120MB). In SWFupload each 60 MB is posted as separate post and we stay within the limits. This
also simplifies the upload script since we only have to handle a single file.
The script should properly handle situations where the post was too large or the posted file is larger than
our defined max. These values are not tied to your SWFUpload file_size_limit setting.
*/
// Code for Session Cookie workaround
if (isset($_POST["PHPSESSID"])) {
session_id($_POST["PHPSESSID"]);
$username = $_POST['username'];
} else if (isset($_GET["PHPSESSID"])) {
session_id($_GET["PHPSESSID"]);
$username = $_GET['username'];
}
session_start();
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
$POST_MAX_SIZE = ini_get('post_max_size');
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
header("HTTP/1.1 500 Internal Server Error");
echo "POST exceeded maximum allowed size.";
exit(0);
}
if(!$username) {
header("HTTP/1.1 500 Internal Server Error");
echo "Niet correct: ".$username;
exit(0);
}
// Settings
$save_path = getcwd() . "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
$upload_name = "Filedata";
$max_file_size_in_bytes = 2147483647; // 2GB in bytes
$extension_whitelist = array("jpg", "gif", "png"); // Allowed file extensions
$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
// Other variables
$MAX_FILENAME_LENGTH = 260;
$file_name = "";
$file_extension = "";
$uploadErrors = array(
0=>"There is no error, the file uploaded with success",
1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini",
2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form",
3=>"The uploaded file was only partially uploaded",
4=>"No file was uploaded",
6=>"Missing a temporary folder"
);
// Validate the upload
if (!isset($_FILES[$upload_name])) {
HandleError("No upload found in \$_FILES for " . $upload_name);
exit(0);
} else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) {
HandleError($uploadErrors[$_FILES[$upload_name]["error"]]);
exit(0);
} else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) {
HandleError("Upload failed is_uploaded_file test.");
exit(0);
} else if (!isset($_FILES[$upload_name]['name'])) {
HandleError("File has no name.");
exit(0);
}
// Validate the file size (Warning: the largest files supported by this code is 2GB)
$file_size = @filesize($_FILES[$upload_name]["tmp_name"]);
if (!$file_size || $file_size > $max_file_size_in_bytes) {
HandleError("File exceeds the maximum allowed size");
exit(0);
}
if ($file_size <= 0) {
HandleError("File size outside allowed lower bound");
exit(0);
}
// Validate file name (for our purposes we'll just remove invalid characters)
$file_name = rand(10000000000000, 999999999999999999999999);
if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) {
HandleError("Invalid file name");
exit(0);
}
// Validate that we won't over-write an existing file
if (file_exists($save_path . $file_name)) {
HandleError("File with this name already exists");
exit(0);
}
// Validate file extension
$path_info = pathinfo($_FILES[$upload_name]['name']);
$file_extension = $path_info["extension"];
$is_valid_extension = false;
foreach ($extension_whitelist as $extension) {
if ($file_extension == $extension) {
$is_valid_extension = true;
break;
}
}
if (!$is_valid_extension) {
HandleError("Invalid file extension");
exit(0);
}
// Validate file contents (extension and mime-type can't be trusted)
/*
Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable.
See the comments on this page: http://us2.php.net/fileinfo
Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a
which describes how a PHP script can be embedded within a GIF image file.
Therefore, no sample code will be provided here. Research the issue, decide how much security is
needed, and implement a solution that meets the needs.
*/
// Process the file
/*
At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks
could be done such as creating an entry in a database or generating a thumbnail.
Depending on your server OS and needs you may need to set the Security Permissions on the file after it has
been saved.
*/
if (!@move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$file_name)) {
HandleError("File could not be saved.");
exit(0);
}
// Get the image and create a thumbnail
$img = imagecreatefromjpeg($save_path.$file_name);
if (!$img) {
echo "ERROR:could not create image handle ". $save_path.$file_name;
exit(0);
}
$width = imageSX($img);
$height = imageSY($img);
if (!$width || !$height) {
echo "ERROR:Invalid width or height";
exit(0);
}
// Build the thumbnail
$target_width = 256;
$target_height = 192;
$target_ratio = $target_width / $target_height;
$img_ratio = $width / $height;
if ($target_ratio > $img_ratio) {
$new_height = $target_height;
$new_width = $img_ratio * $target_height;
} else {
$new_height = $target_width / $img_ratio;
$new_width = $target_width;
}
if ($new_height > $target_height) {
$new_height = $target_height;
}
if ($new_width > $target_width) {
$new_height = $target_width;
}
$new_img = ImageCreateTrueColor(256, 192);
if (!@imagefilledrectangle($new_img, 0, 0, $target_width-1, $target_height-1, 0)) { // Fill the image black
echo "ERROR:Could not fill new image";
exit(0);
}
if (!@imagecopyresampled($new_img, $img, ($target_width-$new_width)/2, ($target_height-$new_height)/2, 0, 0, $new_width, $new_height, $width, $height)) {
echo "ERROR:Could not resize image";
exit(0);
}
// Use a output buffering to load the image into a variable
ob_start();
imagejpeg($new_img, $save_path."thumbnail".$file_name, 100);
$imagevariable = ob_get_contents();
ob_end_clean();
mysql_query("INSERT INTO `photos` (`albumid`, `name`, `username`, `date`, `time`) VALUES ('".mysql_real_escape_string($albumid)."', '".$file_name."', '".$username."', '".date("Y-m-d")."', '".date("H:i")."')") or die(mysql_error());
// Return output to the browser (only supported by SWFUpload for Flash Player 9)
echo $save_path;
exit(0);
/* Handles the error output. This function was written for SWFUpload for Flash Player 8 which
cannot return data to the server, so it just returns a 500 error. For Flash Player 9 you will
want to change this to return the server data you want to indicate an error and then use SWFUpload's
uploadSuccess to check the server_data for your error indicator. */
function HandleError($message) {
header("HTTP/1.1 500 Internal Server Error");
echo $message;
}
?>
include("settings.php");
$username = $_GET['username'];
$albumid = $_POST['albumid'];
/*
This is an upload script for SWFUpload that attempts to properly handle uploaded files
in a secure way.
Notes:
SWFUpload doesn't send a MIME-TYPE. In my opinion this is ok since MIME-TYPE is no better than
file extension and is probably worse because it can vary from OS to OS and browser to browser (for the same file).
The best thing to do is content sniff the file but this can be resource intensive, is difficult, and can still be fooled or inaccurate.
Accepting uploads can never be 100% secure.
You can't guarantee that SWFUpload is really the source of the upload. A malicious user
will probably be uploading from a tool that sends invalid or false metadata about the file.
The script should properly handle this.
The script should not over-write existing files.
The script should strip away invalid characters from the file name or reject the file.
The script should not allow files to be saved that could then be executed on the webserver (such as .php files).
To keep things simple we will use an extension whitelist for allowed file extensions. Which files should be allowed
depends on your server configuration. The extension white-list is _not_ tied your SWFUpload file_types setting
For better security uploaded files should be stored outside the webserver's document root. Downloaded files
should be accessed via a download script that proxies from the file system to the webserver. This prevents
users from executing malicious uploaded files. It also gives the developer control over the outgoing mime-type,
access restrictions, etc. This, however, is outside the scope of this script.
SWFUpload sends each file as a separate POST rather than several files in a single post. This is a better
method in my opinions since it better handles file size limits, e.g., if post_max_size is 100 MB and I post two 60 MB files then
the post would fail (2x60MB = 120MB). In SWFupload each 60 MB is posted as separate post and we stay within the limits. This
also simplifies the upload script since we only have to handle a single file.
The script should properly handle situations where the post was too large or the posted file is larger than
our defined max. These values are not tied to your SWFUpload file_size_limit setting.
*/
// Code for Session Cookie workaround
if (isset($_POST["PHPSESSID"])) {
session_id($_POST["PHPSESSID"]);
$username = $_POST['username'];
} else if (isset($_GET["PHPSESSID"])) {
session_id($_GET["PHPSESSID"]);
$username = $_GET['username'];
}
session_start();
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
$POST_MAX_SIZE = ini_get('post_max_size');
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) {
header("HTTP/1.1 500 Internal Server Error");
echo "POST exceeded maximum allowed size.";
exit(0);
}
if(!$username) {
header("HTTP/1.1 500 Internal Server Error");
echo "Niet correct: ".$username;
exit(0);
}
// Settings
$save_path = getcwd() . "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
$upload_name = "Filedata";
$max_file_size_in_bytes = 2147483647; // 2GB in bytes
$extension_whitelist = array("jpg", "gif", "png"); // Allowed file extensions
$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format)
// Other variables
$MAX_FILENAME_LENGTH = 260;
$file_name = "";
$file_extension = "";
$uploadErrors = array(
0=>"There is no error, the file uploaded with success",
1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini",
2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form",
3=>"The uploaded file was only partially uploaded",
4=>"No file was uploaded",
6=>"Missing a temporary folder"
);
// Validate the upload
if (!isset($_FILES[$upload_name])) {
HandleError("No upload found in \$_FILES for " . $upload_name);
exit(0);
} else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) {
HandleError($uploadErrors[$_FILES[$upload_name]["error"]]);
exit(0);
} else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) {
HandleError("Upload failed is_uploaded_file test.");
exit(0);
} else if (!isset($_FILES[$upload_name]['name'])) {
HandleError("File has no name.");
exit(0);
}
// Validate the file size (Warning: the largest files supported by this code is 2GB)
$file_size = @filesize($_FILES[$upload_name]["tmp_name"]);
if (!$file_size || $file_size > $max_file_size_in_bytes) {
HandleError("File exceeds the maximum allowed size");
exit(0);
}
if ($file_size <= 0) {
HandleError("File size outside allowed lower bound");
exit(0);
}
// Validate file name (for our purposes we'll just remove invalid characters)
$file_name = rand(10000000000000, 999999999999999999999999);
if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) {
HandleError("Invalid file name");
exit(0);
}
// Validate that we won't over-write an existing file
if (file_exists($save_path . $file_name)) {
HandleError("File with this name already exists");
exit(0);
}
// Validate file extension
$path_info = pathinfo($_FILES[$upload_name]['name']);
$file_extension = $path_info["extension"];
$is_valid_extension = false;
foreach ($extension_whitelist as $extension) {
if ($file_extension == $extension) {
$is_valid_extension = true;
break;
}
}
if (!$is_valid_extension) {
HandleError("Invalid file extension");
exit(0);
}
// Validate file contents (extension and mime-type can't be trusted)
/*
Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable.
See the comments on this page: http://us2.php.net/fileinfo
Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a
which describes how a PHP script can be embedded within a GIF image file.
Therefore, no sample code will be provided here. Research the issue, decide how much security is
needed, and implement a solution that meets the needs.
*/
// Process the file
/*
At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks
could be done such as creating an entry in a database or generating a thumbnail.
Depending on your server OS and needs you may need to set the Security Permissions on the file after it has
been saved.
*/
if (!@move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$file_name)) {
HandleError("File could not be saved.");
exit(0);
}
// Get the image and create a thumbnail
$img = imagecreatefromjpeg($save_path.$file_name);
if (!$img) {
echo "ERROR:could not create image handle ". $save_path.$file_name;
exit(0);
}
$width = imageSX($img);
$height = imageSY($img);
if (!$width || !$height) {
echo "ERROR:Invalid width or height";
exit(0);
}
// Build the thumbnail
$target_width = 256;
$target_height = 192;
$target_ratio = $target_width / $target_height;
$img_ratio = $width / $height;
if ($target_ratio > $img_ratio) {
$new_height = $target_height;
$new_width = $img_ratio * $target_height;
} else {
$new_height = $target_width / $img_ratio;
$new_width = $target_width;
}
if ($new_height > $target_height) {
$new_height = $target_height;
}
if ($new_width > $target_width) {
$new_height = $target_width;
}
$new_img = ImageCreateTrueColor(256, 192);
if (!@imagefilledrectangle($new_img, 0, 0, $target_width-1, $target_height-1, 0)) { // Fill the image black
echo "ERROR:Could not fill new image";
exit(0);
}
if (!@imagecopyresampled($new_img, $img, ($target_width-$new_width)/2, ($target_height-$new_height)/2, 0, 0, $new_width, $new_height, $width, $height)) {
echo "ERROR:Could not resize image";
exit(0);
}
// Use a output buffering to load the image into a variable
ob_start();
imagejpeg($new_img, $save_path."thumbnail".$file_name, 100);
$imagevariable = ob_get_contents();
ob_end_clean();
mysql_query("INSERT INTO `photos` (`albumid`, `name`, `username`, `date`, `time`) VALUES ('".mysql_real_escape_string($albumid)."', '".$file_name."', '".$username."', '".date("Y-m-d")."', '".date("H:i")."')") or die(mysql_error());
// Return output to the browser (only supported by SWFUpload for Flash Player 9)
echo $save_path;
exit(0);
/* Handles the error output. This function was written for SWFUpload for Flash Player 8 which
cannot return data to the server, so it just returns a 500 error. For Flash Player 9 you will
want to change this to return the server data you want to indicate an error and then use SWFUpload's
uploadSuccess to check the server_data for your error indicator. */
function HandleError($message) {
header("HTTP/1.1 500 Internal Server Error");
echo $message;
}
?>
Gesponsorde koppelingen:
