Last active
August 29, 2015 14:14
-
-
Save agasiev/1aa13351df6346477395 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // (c) CertaiN, http://php.net/manual/en/features.file-upload.php | |
| header('Content-Type: text/plain; charset=utf-8'); | |
| $path_to_folder = "./uploads/"; | |
| $max_file_size = 5000000; // ~ 5 mb | |
| try { | |
| // Undefined | Multiple Files | $_FILES Corruption Attack | |
| // If this request falls under any of them, treat it invalid. | |
| if ( | |
| !isset($_FILES['upfile']['error']) || | |
| is_array($_FILES['upfile']['error']) | |
| ) { | |
| throw new RuntimeException('Invalid parameters.'); | |
| } | |
| // Check $_FILES['upfile']['error'] value. | |
| switch ($_FILES['upfile']['error']) { | |
| case UPLOAD_ERR_OK: | |
| break; | |
| case UPLOAD_ERR_NO_FILE: | |
| throw new RuntimeException('No file sent.'); | |
| case UPLOAD_ERR_INI_SIZE: | |
| case UPLOAD_ERR_FORM_SIZE: | |
| throw new RuntimeException('Exceeded filesize limit.'); | |
| default: | |
| throw new RuntimeException('Unknown errors.'); | |
| } | |
| // You should also check filesize here. | |
| if ($_FILES['upfile']['size'] > $max_file_size) { | |
| throw new RuntimeException('Exceeded filesize limit.'); | |
| } | |
| // DO NOT TRUST $_FILES['upfile']['mime'] VALUE !! | |
| // Check MIME Type by yourself. | |
| $finfo = new finfo(FILEINFO_MIME_TYPE); | |
| if (false === $ext = array_search( | |
| $finfo->file($_FILES['upfile']['tmp_name']), | |
| array( | |
| 'bmp' => 'image/bmp', | |
| 'bmp' => 'image/x-windows-bmp', | |
| 'jpg' => 'image/jpeg', | |
| 'pdf' => 'application/pdf', | |
| 'png' => 'image/png', | |
| ), | |
| true | |
| )) { | |
| throw new RuntimeException('Invalid file format.'); | |
| } | |
| $curr_date = date("Y.m.d"); | |
| if (!file_exists($path_to_folder.$curr_date)) { | |
| mkdir($path_to_folder.$curr_date); | |
| } | |
| // You should name it uniquely. | |
| // DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !! | |
| // On this example, obtain safe unique name from its binary data. | |
| $name_with_ext = basename($_FILES['upfile']['name']); | |
| $just_name = substr($name_with_ext, 0, strrpos($name_with_ext, ".")); | |
| $new_file_name = ($just_name == "" ? "" : $just_name."_").substr(sha1_file($_FILES['upfile']['tmp_name']), 0, 10); | |
| $new_file_name = escapeshellcmd($new_file_name); | |
| $path_to_file = sprintf($path_to_folder.'%s/%s.%s', $curr_date, $new_file_name, $ext); | |
| if (file_exists($path_to_file)) { | |
| throw new RuntimeException('File already exists.'); | |
| } | |
| if (!move_uploaded_file( | |
| $_FILES['upfile']['tmp_name'], | |
| $path_to_file | |
| )) { | |
| throw new RuntimeException('Failed to move uploaded file.'); | |
| } | |
| echo 'File is uploaded successfully.'; | |
| } catch (RuntimeException $e) { | |
| echo $e->getMessage(); | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment