Simpel Upload Script (met EXSTENSIE controle XD)
Veel beginnende php programmeurs hebben wel wat moeite met upload scripts, dit is voornamelijk omdat ze enctype="multipart/form-data" vergeten in hun form tag te plaatsen maar ook controles gaan meestal niet zo vlot in het begin. Zelf moet ik nu de gevolgen dragen van een fout van mij (van een aantal jaar geleden) in een upload script om niet op extensie's te checken, bij deze plaats ik hier nu een zelf gescripted veilig upload script met een duidelijke config met de opties voor maximale grootte en extensies en upload folder in te stellen. Ook heb ik zoveel mogelijk comments geplaatst zodat beginnende programmeurs goed kunnen zien wat ik doe. Bij deze enjoy. Vergeet niet de uploadmap te chmodden en laat aub de copyright in het script staan. Deze kan toch niet door het publiek bekeken worden.
<?php
////////////////////////////////////
// © 2009 Wouter De Schuyter
// info[@]paradox-productions[.]net
// http://paradox-productions.net/
// UPLOAD SCRIPT V1.0
////////////////////////////////////
/* NOTE
*******
!! DON'T FORGET TO CHMOD THE UPLOAD FOLDER TO 0777
THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 3.0 LICENSE.
THIS MEANS YOU MAY USE IT FOR ANY PURPOSE, AND MAKE ANY CHANGES YOU LIKE.
ALL I ASK IS TO LEAVE THE ORIGINAL COPYRIGHT AT TOP OF THE SCRIPT.
VIEW LICENSE ONLINE: http://creativecommons.org/licenses/by/3.0/
*/
/* CONFIG
*********/
$extensions = array('png', 'gif', 'jpg', 'jpeg', 'bmp', 'pdf', 'doc', 'docx', 'html', 'psd', 'css'); // ALLOWED EXTENSIONS
$tfolder = "uploads/"; // UPLOADS FOLDER WITH "/" AT THE END (JUST DIR)!
$scriptloc = "http://paradox-productions.net/upload-project/"; // SCRIPT LOCATION WITH "/" AT THE END (FULL URL)!
$maxfsize = 3; // MAXIMUM FILESIZE (IN MEGABYTES)
// CHECK IF THE FORM HAS BEEN SUBMITTED
if($_SERVER['REQUEST_METHOD'] == "POST") {
$fname = $_FILES['filen']['name']; // FILE NAME FOR EXTENSION CHECK
$fext = strtolower(end(explode('.', $fname))); // GET EXTENSION
$ftemp = $_FILES['filen']['tmp_name']; // TEMP NAME
$newname = md5(rand(rand(1, 9999), rand(1, 9999))) . "." . $fext; // RANDOM NUMBER BETWEEN 2 RANDOM NUMBERS BETWEEN 1 AND 9999 AND MD5 ENCODED = RANDOM FILE NAME
$target = $tfolder . $newname; // LOCATION FILE
// CHECK IF THERE IS A FILE SELECTED
if(!empty($fname)) {
// CHECK THE EXTENSION
foreach($extensions as $check) {
if($check == $fext) {
$extensioncheck = true;
}
}
// IF EXTENSION IS ALLOWED
if($extensioncheck == true) {
// IF FILE IS TOO BIG
if(filesize($ftemp) > $maxfsize * (1024*1024)) {
echo "Your file is too big. The maximum filesize is <b>" . $maxfsize . "</b>MB.";
}
// IF FILESIZE IS ALLOWED
else {
// CHECK FOR FALSE FILES EG image.php.gif (SOME SERVERS JUST TAKE .php AND THIS IS A POSSIBLE RISK)
if(!strstr(strtolower($fname), "php")) {
$upload = move_uploaded_file($ftemp, $target); // MOVE TO FOLDER WITH NEW RANDOM NAME
// TRY TO MOVE THE FILE TO THE DIRECTORY
if($upload) {
echo "Your file has succesfully been uploaded.<br />Download link: <b>" . $scriptloc . $target . "</b>";
$succes = true;
}
// UPLOAD ERROR
else {
echo "upload error";
}
}
// WHEN THE FILE NAME CONTAINS php
else {
echo "Your file cannot contain the string 'php'!";
}
} // CLOSE FILESIZE ALLOWED ELSE FUNCTION
} // CLOSE EXTENSION ALLOWED IF FUNCTION
// EXTENSION ERROR
else {
echo "This extension is not allowed.";
}
} // CLOSE IF FILE SELECTED IF FUNCTION
// NO FILE SELECTED ERROR
else {
echo "Please select a file to upload.";
}
} // CLOSE IF SUBMIT IS PRESSED FUNCTION
// IF FILE WAS UPLOADED SUCESSFULLY HIDE FORM
if($succes !== true) {
echo '<form action="" method="post" enctype="multipart/form-data">';
echo 'File: <input type="file" name="filen" /> <input type="submit" name="subform" value="Upload File!" />';
echo '</form>';
}
?>
Reacties
0