Allowing users to upload images

Tagged: php, upload

This topic contains 3 replies, has 2 voices, and was last updated by endrohat 1 year, 1 month ago.

Viewing 4 posts - 1 through 4 (of 4 total)

Author

Posts
April 16, 2012 at 4:05 am #14031

Anonymous

It’s been a while since I tried to add this functionality into a script – can someone give me a quick tip list of things to do and/or not to do?

Or of course, point me to an already-existing source that explains it!

Thanks

April 16, 2012 at 5:30 am #15101

endrohat
Participant

http://www.reconn.us/content/view/30/51/

You can use the timthumb library to create thumbnails, but use the latest patched one. The previous one had a vulnerability

April 17, 2012 at 12:02 am #15102

Anonymous

That link gives me an error. Anyway, I don’t want to create thumbnails but want to allow user uploads securely.

April 17, 2012 at 4:35 am #15103

endrohat
Participant

Well if the link gives you an error, ill copy paste it here

<?php

//define a maxim size for the uploaded images in Kb

define (“MAX_SIZE”,”100″);

//This function reads the extension of the file. It is used to determine if the

// file is an image by checking the extension.

function getExtension($str) {

$i = strrpos($str,”.”);

if (!$i) { return “”; }

$l = strlen($str) – $i;

$ext = substr($str,$i+1,$l);

return $ext;

}

//This variable is used as a flag. The value is initialized with 0 (meaning no

// error found)

//and it will be changed to 1 if an errro occures.

//If the error occures the file will not be uploaded.

$errors=0;

//checks if the form has been submitted

if(isset($_POST))

{

//reads the name of the file the user submitted for uploading

$image=$_FILES;

//if it is not empty

if ($image)

{

//get the original name of the file from the clients machine

$filename = stripslashes($_FILES);

//get the extension of the file in a lower case format

$extension = getExtension($filename);

$extension = strtolower($extension);

//if it is not a known extension, we will suppose it is an error and

// will not upload the file,

//otherwise we will do more tests

if (($extension != “jpg”) && ($extension != “jpeg”) && ($extension !=

“png”) && ($extension != “gif”))

{

//print error message

echo ‘<h1>Unknown extension!</h1>’;

$errors=1;

}

else

{

//get the size of the image in bytes

//$_FILES is the temporary filename of the file

//in which the uploaded file was stored on the server

$size=filesize($_FILES);

//compare the size with the maxim size we defined and print error if bigger

if ($size > MAX_SIZE*1024)

{

echo ‘<h1>You have exceeded the size limit!</h1>’;

$errors=1;

}

//we will give an unique name, for example the time in unix time format

$image_name=time().’.’.$extension;

//the new name will be containing the full path where will be stored (images

//folder)

$newname=”images/”.$image_name;

//we verify if the image has been uploaded, and print error instead

$copied = copy($_FILES, $newname);

if (!$copied)

{

echo ‘<h1>Copy unsuccessfull!</h1>’;

$errors=1;

}}}}

//If no errors registred, print the success message

if(isset($_POST) && !$errors)

{

echo “<h1>File Uploaded Successfully! Try again!</h1>”;

}

?>

<!–next comes the form, you must set the enctype to “multipart/frm-data”

and use an input type “file” –>

<form name=”newad” method=”post” enctype=”multipart/form-data”

action=”">

<table>

<tr><td><input type=”file” name=”image”></td></tr>

<tr><td><input name=”Submit” type=”submit” value=”Upload image”>

</td></tr>

</table>

</form>
Author

Posts