Created
July 17, 2017 16:45
-
-
Save steveosoule/f3af66d24e37bcd9ab019a0769017657 to your computer and use it in GitHub Desktop.
Wholesale Customer Upload Form
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
header('Content-Type: text/plain; charset=utf-8'); | |
try { | |
// Undefined | Multiple Files | $_FILES Corruption Attack | |
// If this request falls under any of them, treat it invalid. | |
if ( | |
!isset($_FILES['file']['error']) || | |
is_array($_FILES['file']['error']) | |
) { | |
var_dump($_FILES['file']['error']); | |
throw new RuntimeException('Error: Invalid parameters.'); | |
} | |
if( !is_numeric($_POST['Customer_ID']) ){ | |
throw new RuntimeException('Error: Invalid customer id.'); | |
} | |
// Check $_FILES['file']['error'] value. | |
switch ($_FILES['file']['error']) { | |
case UPLOAD_ERR_OK: | |
break; | |
case UPLOAD_ERR_NO_FILE: | |
throw new RuntimeException('Error: No file sent.'); | |
case UPLOAD_ERR_INI_SIZE: | |
case UPLOAD_ERR_FORM_SIZE: | |
throw new RuntimeException('Error: Exceeded filesize limit.'); | |
default: | |
throw new RuntimeException('Error: Unknown errors.'); | |
} | |
// You should also check filesize here. | |
if ($_FILES['file']['size'] > 1000000) { | |
throw new RuntimeException('Error: Exceeded filesize limit.'); | |
} | |
// DO NOT TRUST $_FILES['file']['mime'] VALUE !! | |
// Check MIME Type by yourself. | |
$finfo = new finfo(FILEINFO_MIME_TYPE); | |
if (false === $ext = array_search( | |
$finfo->file($_FILES['file']['tmp_name']), | |
array( | |
'jpg' => 'image/jpeg', | |
'jpeg' => 'image/jpeg', | |
'png' => 'image/png', | |
'gif' => 'image/gif', | |
'pdf' => 'application/pdf' | |
), | |
true | |
)) { | |
throw new RuntimeException('Error: Invalid file format.'); | |
} | |
$customer_id = (int) trim($_POST['Customer_ID']); | |
if( !$customer_id > 0 ){ | |
throw new RuntimeException('Error: Invalid customer id.'); | |
} | |
$document_index = (int) trim($_POST['Document_Index']); | |
if( !$document_index > 0 ){ | |
throw new RuntimeException('Error: Invalid Document_Index'); | |
} | |
$upload_dir = sprintf('../uploads/%d', $customer_id); | |
if( !is_dir($upload_dir) ){ | |
mkdir($upload_dir); | |
} | |
// array_map('unlink', glob("$upload_dir/*")); | |
// You should name it uniquely. | |
// DO NOT USE $_FILES['file']['name'] WITHOUT ANY VALIDATION !! | |
// On this example, obtain safe unique name from its binary data. | |
$state = (isset($_POST['Customer_State'])) ? $_POST['Customer_State'] : 'null'; | |
$company = (isset($_POST['Customer_Company'])) ? $_POST['Customer_Company'] : 'null'; | |
$pattern = '/[^a-zA-Z0-9-_]/'; | |
$state = preg_replace($pattern, '', $state); | |
$company = preg_replace($pattern, '', $company); | |
$date = date('Y-m-d'); | |
if( $document_index === 1 ){ | |
$document = 'State'; | |
} | |
else if( $document_index === 2 ){ | |
$document = 'Federal'; | |
} else { | |
$document = 'null'; | |
} | |
$document = 'Document-'.$document_index; | |
if( $document_index > 0 ) | |
{ | |
$path = sprintf('%s/%s_%s_%s_%s.%s', $upload_dir, $date, $state, $company, $document, $ext); | |
} | |
elseif( FALSE && $validDocumentIndex) | |
{ | |
$path = sprintf('%s/document-%s.%s', $upload_dir, $_POST['Document_Index'], $ext); | |
} | |
else | |
{ | |
$path = sprintf('%s/%s.%s', $upload_dir, sha1_file($_FILES['file']['tmp_name']), $ext); | |
} | |
if (move_uploaded_file($_FILES['file']['tmp_name'], $path) ) | |
{ | |
echo $path; | |
} | |
else | |
{ | |
throw new RuntimeException('Error: Failed to move uploaded file.'); | |
} | |
} catch (RuntimeException $e) { | |
echo $e->getMessage(); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment