Uzywam skryptu JQUERY: uploadify
1. Problem polega na tym, ze nie chce uploadowac plikow z nazwa: "dowolna_nazwajpg.JPG"
2. jak zabezpieczyc go przed uploadem plikow o roznych rozszerzeniach?
3. jest problem, bo nie wiadomo jak wyswietlic KOD (tzn. bledy) tego skryptu php
jakby ktos mogl rzucic okiem i poprawic, dziekowalbym
---
<?php
/* SECURITY HOLE: USER CAN UPLOAD FILES TO OTHER USER IF HE WANTS TO HACK SOMETHING; practically: low priority, nobody would engage in such action; BUT IT NEEDS TO BE FIXED */
/* DON'T UPLOADS PARTICULAR IMAGES WITH "NAMES" DIFFERENT */
include($_SERVER['DOCUMENT_ROOT'].'/libs/db/index.php'); include($_SERVER['DOCUMENT_ROOT'].'/libs/db/db.php'); if(!ctype_digit($_GET['id'])) die('!ctype_digit'); include($_SERVER['DOCUMENT_ROOT'].'/libs/url/index.php'); define('N','/'); $q = q
('SELECT t,t2 FROM `'.PRFX
.'cfg_en` WHERE id = 1'); if(n_r
($q) == 0
) die('no cfg'); $cfg = f
($q); $q = q
('SELECT * FROM `'.PRFX
.'ads` WHERE id = "'.$_GET['id'].'" LIMIT 1'); if(n_r
($q) == 0
) die(H
.'no ad'); $r = f
($q); /*include($_SERVER['DOCUMENT_ROOT'].'/libs/auth/index.php'); $u = isUlogd($cfg['t2']); if($u['id'] <> $r['u']) die(H.'u <> usr [you\'re trying to edit somebody\'s ad; no permission]');*/ $r['t_'] = _url
($r['t']);
/****
* GALERIE TWORZY mozliwa jest ona do edycji
* musi poczekac [3] KOMPRESUJE PLIK, AUTOMATYCZNIE I TWORZY MINIATURE (TZW FACEBOOK SIZE)
* 90%; stala wielkosc watermarka (ale to punkt [3] musi byc zrobiony)||||||dodaje watermark na srodku obrazka albo gdzies po boku z ID obrazka (id ogloszenia)
* 90% done, but it needs to change the thumbnail (image resized) value [2] sprawdza czy nie wystepuje juz plik o tej samej tzw. checksum; jesli wystepuje to go nie uploaduje
* 90% [zrobione] [1] tworzy folder osobny (do jednego folderu z ID wrzuca) dla kazdego dodanego zdjecia; na kazde 5 000 subfolderow jest jeden znowu podkatalog ||||| w nieskonczona petle wrzucic
* przy kasowaniu zdjec automatyczne usuwanie ich z bazy i z serwera; jak skasuje wszystkie to tez automatycznie usuwa folder
* [czeka na punkt [3]]mozliwosc tworzenia miniatury ze zdjecia (czyli inne)
* SIZE_LIMIT for all images and documents (1MB, 20MB) or maybe not do it for the photos (but up to 5mb);
*/
$range = 5000;/* UNCHANGEABLE VALUE! */ $sub_dir = ceil($r['id']/$range); $targetPath = $_SERVER['DOCUMENT_ROOT'].N
.'i'.N
.$sub_dir.N
.$r['id'].N
;
/** HERE IS SECURITY HOLE: VERIFY DO I CAN UPLOAD ANY SCRIPTS WITH .php or any other extensions not allowed anywhere in script **/
$fileTypes = str_replace('*.','',$_REQUEST['fileext']); $fileTypes = str_replace(';','|',$fileTypes); $typesArray = split('\|',$fileTypes); $fileParts = pathinfo($_FILES['Filedata']['name']);
#$q = q('SELECT id FROM `'.PRFX.'ads_files` WHERE checksum = "'.md5_file($_FILES['Filedata']['tmp_name']).'" AND id_ = "'.$r['id'].'" LIMIT 1'); if(n_r($q) == 0) {
q('INSERT INTO `'.PRFX.'ads_files` (id_,descr,th) VALUES ("'.$r['id'].'","","")'); $filename = $r['t_'].',(www.'.$cfg['t'].',ID#'.$r['id'].'),'.l_id().'.'.$fileParts['extension'];
q('UPDATE `'.PRFX.'ads_files` SET t = "'.$filename.'" WHERE id = "'.l_id().'"');
/* '.md5_file($_FILES['Filedata']['tmp_name']).' DON'T DO CHECKSUMS, IF USER WOULD FIND A DUPLICATE [doesn't check] HE WOULD DELETE IT; INSTEAD A FILENAME WOULD BE PUT, BECAUSE IT WAS BE USED TO DON'T READ ALL THE TIME FOLDERS (lower server usage) */
if(in_array($fileParts['extension'],$typesArray)) {
include($_SERVER['DOCUMENT_ROOT'].'/libs/watermark/index.php'); if($fileParts['extension'] == 'gif' OR $fileParts['extension'] == 'jpeg' OR $fileParts['extension'] = 'png' OR $fileParts['extension'] = 'jpg')
imagewatermark($targetFile,$_SERVER['DOCUMENT_ROOT'].'/libs'.N.'watermark/watermark.png',65);
switch($_FILES['Filedata']['error']) {
case 1
: die('The file is bigger than this PHP installation allows'); break; case 2
: die('The file is bigger than this form allows'); break; case 3
: die('Only part of the file was uploaded'); break; case 4
: die('No file was uploaded'); break; case 6
: die('Missing a temporary folder'); break; case 7
: die('Failed to write file to disk'); break; case 8
: die('File upload stopped by extension'); break; default: die('unknown error '.$_FILES['Filedata']['error']); } else die(H
.'Invalid file type'); #}
}
?>
pozmienialem pare rzeczy zarowno w kodzie .html (na slepo) jak i w kodzie php i dziala
<?php
/* SECURITY HOLE: USER CAN UPLOAD FILES TO OTHER USER IF HE WANTS TO HACK SOMETHING; practically: low priority, nobody would engage in such action; BUT IT NEEDS TO BE FIXED */
/* DON'T UPLOADS PARTICULAR IMAGES WITH "NAMES" DIFFERENT */
include($_SERVER['DOCUMENT_ROOT'].'/libs/db/index.php'); include($_SERVER['DOCUMENT_ROOT'].'/libs/db/db.php'); if(!ctype_digit($_GET['id'])) die('!ctype_digit'); include($_SERVER['DOCUMENT_ROOT'].'/libs/url/index.php'); define('N','/'); $q = q
('SELECT t,t2 FROM `'.PRFX
.'cfg_en` WHERE id = 1'); if(n_r
($q) == 0
) die('no cfg'); $cfg = f
($q); $q = q
('SELECT * FROM `'.PRFX
.'ads` WHERE id = "'.$_GET['id'].'" LIMIT 1'); if(n_r
($q) == 0
) die(H
.'no ad'); $r = f
($q); /*include($_SERVER['DOCUMENT_ROOT'].'/libs/auth/index.php'); $u = isUlogd($cfg['t2']); if($u['id'] <> $r['u']) die(H.'u <> usr [you\'re trying to edit somebody\'s ad; no permission]');*/ $r['t_'] = _url
($r['t']);
/****
* GALERIE TWORZY mozliwa jest ona do edycji
* musi poczekac [3] KOMPRESUJE PLIK, AUTOMATYCZNIE I TWORZY MINIATURE (TZW FACEBOOK SIZE)
* 90%; stala wielkosc watermarka (ale to punkt [3] musi byc zrobiony)||||||dodaje watermark na srodku obrazka albo gdzies po boku z ID obrazka (id ogloszenia)
* 90% done, but it needs to change the thumbnail (image resized) value [2] sprawdza czy nie wystepuje juz plik o tej samej tzw. checksum; jesli wystepuje to go nie uploaduje
* 90% [zrobione] [1] tworzy folder osobny (do jednego folderu z ID wrzuca) dla kazdego dodanego zdjecia; na kazde 5 000 subfolderow jest jeden znowu podkatalog ||||| w nieskonczona petle wrzucic
* przy kasowaniu zdjec automatyczne usuwanie ich z bazy i z serwera; jak skasuje wszystkie to tez automatycznie usuwa folder
* [czeka na punkt [3]]mozliwosc tworzenia miniatury ze zdjecia (czyli inne)
* SIZE_LIMIT for all images and documents (1MB, 20MB) or maybe not do it for the photos (but up to 5mb);
*/
$range = 5000;/* UNCHANGEABLE VALUE! */ $sub_dir = ceil($r['id']/$range); $targetPath = $_SERVER['DOCUMENT_ROOT'].N
.'i'.N
.$sub_dir.N
.$r['id'].N
;
/** HERE IS SECURITY HOLE: VERIFY DO I CAN UPLOAD ANY SCRIPTS WITH .php or any other extensions not allowed anywhere in script **/
#$q = q('SELECT id FROM `'.PRFX.'ads_files` WHERE checksum = "'.md5_file($_FILES['Filedata']['tmp_name']).'" AND id_ = "'.$r['id'].'" LIMIT 1'); if(n_r($q) == 0) {
q('INSERT INTO `'.PRFX.'ads_files` (id_,descr,th) VALUES ("'.$r['id'].'","","")'); $filename = $r['t_'].',(www.'.$cfg['t'].',ID#'.$r['id'].'),'.l_id().'.'.$fileParts['extension'];
q('UPDATE `'.PRFX.'ads_files` SET t = "'.$filename.'" WHERE id = "'.l_id().'"');
/* '.md5_file($_FILES['Filedata']['tmp_name']).' DON'T DO CHECKSUMS, IF USER WOULD FIND A DUPLICATE [doesn't check] HE WOULD DELETE IT; INSTEAD A FILENAME WOULD BE PUT, BECAUSE IT WAS BE USED TO DON'T READ ALL THE TIME FOLDERS (lower server usage) */
if(in_array($fileParts['extension'],$typesArray)) {
include($_SERVER['DOCUMENT_ROOT'].'/libs/watermark/index.php'); if($fileParts['extension'] == 'gif' OR $fileParts['extension'] == 'jpeg' OR $fileParts['extension'] = 'png' OR $fileParts['extension'] = 'jpg')
imagewatermark($targetFile,$_SERVER['DOCUMENT_ROOT'].'/libs'.N.'watermark/watermark.png',65);
switch($_FILES['Filedata']['error']) {
case 1
: die('The file is bigger than this PHP installation allows'); break; case 2
: die('The file is bigger than this form allows'); break; case 3
: die('Only part of the file was uploaded'); break; case 4
: die('No file was uploaded'); break; case 6
: die('Missing a temporary folder'); break; case 7
: die('Failed to write file to disk'); break; case 8
: die('File upload stopped by extension'); break; default: die('unknown error '.$_FILES['Filedata']['error']); } else die(H
.'Invalid file type'); #}
}
?>
uploadify skrypt (upload)
4.04.2011, 05:46:22
