Skip to content

Instantly share code, notes, and snippets.

@steveosoule

steveosoule/wholesale-customer-upload-form.php

Created July 17, 2017 16:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save steveosoule/f3af66d24e37bcd9ab019a0769017657 to your computer and use it in GitHub Desktop.
Save steveosoule/f3af66d24e37bcd9ab019a0769017657 to your computer and use it in GitHub Desktop.
Download ZIP
Wholesale Customer Upload Form
Raw
wholesale-customer-upload-form.php
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['file']['error']) ||
is_array($_FILES['file']['error'])
) {
var_dump($_FILES['file']['error']);
throw new RuntimeException('Error: Invalid parameters.');
}
if( !is_numeric($_POST['Customer_ID']) ){
throw new RuntimeException('Error: Invalid customer id.');
}
// Check $_FILES['file']['error'] value.
switch ($_FILES['file']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('Error: No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Error: Exceeded filesize limit.');
default:
throw new RuntimeException('Error: Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['file']['size'] > 1000000) {
throw new RuntimeException('Error: Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['file']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['file']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'jpeg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
'pdf' => 'application/pdf'
),
true
)) {
throw new RuntimeException('Error: Invalid file format.');
}
$customer_id = (int) trim($_POST['Customer_ID']);
if( !$customer_id > 0 ){
throw new RuntimeException('Error: Invalid customer id.');
}
$document_index = (int) trim($_POST['Document_Index']);
if( !$document_index > 0 ){
throw new RuntimeException('Error: Invalid Document_Index');
}
$upload_dir = sprintf('../uploads/%d', $customer_id);
if( !is_dir($upload_dir) ){
mkdir($upload_dir);
}
// array_map('unlink', glob("$upload_dir/*"));
// You should name it uniquely.
// DO NOT USE $_FILES['file']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
$state = (isset($_POST['Customer_State'])) ? $_POST['Customer_State'] : 'null';
$company = (isset($_POST['Customer_Company'])) ? $_POST['Customer_Company'] : 'null';
$pattern = '/[^a-zA-Z0-9-_]/';
$state = preg_replace($pattern, '', $state);
$company = preg_replace($pattern, '', $company);
$date = date('Y-m-d');
if( $document_index === 1 ){
$document = 'State';
}
else if( $document_index === 2 ){
$document = 'Federal';
} else {
$document = 'null';
}
$document = 'Document-'.$document_index;
if( $document_index > 0 )
{
$path = sprintf('%s/%s_%s_%s_%s.%s', $upload_dir, $date, $state, $company, $document, $ext);
}
elseif( FALSE && $validDocumentIndex)
{
$path = sprintf('%s/document-%s.%s', $upload_dir, $_POST['Document_Index'], $ext);
}
else
{
$path = sprintf('%s/%s.%s', $upload_dir, sha1_file($_FILES['file']['tmp_name']), $ext);
}
if (move_uploaded_file($_FILES['file']['tmp_name'], $path) )
{
echo $path;
}
else
{
throw new RuntimeException('Error: Failed to move uploaded file.');
}
} catch (RuntimeException $e) {
echo $e->getMessage();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment