API tools faq
paste
Advertisement
gitlez

YA: SimpleFileUploadChecking

gitlez
Jun 17th, 2011
78
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.41 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. // Upload Errors ** NOTE: There is no error number 5. It was an old error, removed. **
  3. $uploadErrors = array(
  4.     1 => 'The uploaded file exceeds the Server\'s Maximum Allowable File Size',
  5.     2 => 'The uploaded file exceeds the Form\'s Maximum Allowable File Size.',
  6.     3 => 'The uploaded file was only partially uploaded, then interrupted or the connection was dropped.',
  7.     4 => 'No file was uploaded.',
  8.     6 => 'Missing a temporary folder. The server requires a temporary folder for file uploads.', // Internal Operations Error
  9.     7 => 'Failed to write file to disk.', // Internal Server Error
  10.     8 => 'A PHP extension stopped the file upload.' // PHP Extension Library stopped the upload.
  11. );
  12. $allowableFileExts = Array('pdf'); // Allowed file extensions, extensions and content-types can be spooffed. So it's not a hundred percent.
  13. // Functions
  14. function cleanString($s){
  15.     // To help protect from MySQL Injection attacks. Not 100% but better than nothing.
  16.     if(get_magic_quotes_gpc()){
  17.         return mysql_real_escape_string(stripslashes($s));
  18.     }else{
  19.         return mysql_real_escape_string($s);
  20.     }
  21. }
  22. function logDetails($title,$description,$content_type,$target){
  23.     $text = 'Time: ' . date('D M j, Y @ H:i:s [e]') . '(Server Time)' . PHP_EOL;
  24.     $text .= 'Title: ' . $title . PHP_EOL;
  25.     $text .= 'Description: ' . $description . PHP_EOL;
  26.     $text .= 'Content-Type: ' . $content_type . PHP_EOL;
  27.     $text .= 'Server Filename (target): ' . $target . PHP_EOL;
  28.     $text .= str_pad('', 60, '_') . PHP_EOL;
  29.     $fh = fopen('log_databaseInputFails.txt','a');
  30.     fwrite($fh,$text);
  31.     fclose($fh);
  32. }
  33.  
  34. // Processing
  35. if($_FILES['content_file']['error'] !== UPLOAD_ERR_OK){ // If the upload's error is not 0 or Upload Ok
  36.     die('There was an error uploading the file.<br />Error: ' . $uploadErrors[$_FILES['content_file']['error']]);
  37. }else{
  38.     $ext = pathinfo($_FILES['content_file']['name'], PATHINFO_EXTENSION) ;
  39.     if( !in_array($ext, $allowableFileExts)){
  40.         die('This file type is not permitted');
  41.     }
  42.     $conn = mysql_connect("..........") or die(mysql_error()) ;
  43.     mysql_select_db(".......") or die(mysql_error()) ;
  44.    
  45.     while(file_exists(($target = "files/" . rand() . '.' . $ext))){}; // If the file exists, then it will try another file name. Otherwise you could get files over written onto other files.
  46.    
  47.     $title = cleanString($_POST['title']);
  48.     $description = cleanString($_POST['description']);
  49.     $content_type = cleanString($_POST['content_type']);
  50.     $content_file = cleanString($_FILES['content_file']['tmp_name']);
  51.  
  52.     // You need to be storing the $target in your database as well.
  53.     // $semester ??? Should that be $description ???
  54.     $result = mysql_query("INSERT INTO `materials` VALUES ('$title', '$description', '$content_type', '$target')") ;
  55.     $moved = move_uploaded_file($content_file, $target);
  56.  
  57.     if($result && $moved){
  58.         // The Data has been Added to the Database and the upload was stored successfully.
  59.         echo "The file " . basename( $_FILES['uploadedfile']['name']) . " has been uploaded, and your information has been added to the directory";
  60.     }else if($result && !$moved){
  61.         // Data Added, but error with file.
  62.         mysql_query("DELETE FROM materials WHERE title='{$title}' LIMIT 1");
  63.         echo 'There was an error Uploading your file, please try again.';
  64.     }else if (!$result && $moved){
  65.         // The File has been uploaded successfully, but not added to the database. Log details for admin addition to the database.
  66.         logDetails($title,$description,$content_type,$target);
  67.         echo "The file " . basename( $_FILES['uploadedfile']['name']) . " has been uploaded, but has yet to be added to the database. It will be added once the Database is online.";
  68.        
  69.     } else {
  70.         echo "Sorry, there was a problem completing the uploading of your file. Please Try Again Later.";
  71.     }
  72. }
  73. ?>
  74.  
  75. The display script:
  76.  
  77. <?php
  78. mysql_connect("...........") or die(mysql_error()) ;
  79. mysql_select_db("..........") or die(mysql_error()) ;
  80.  
  81. $data = mysql_query("SELECT * FROM materials") or die(mysql_error());
  82.  
  83. while($info = mysql_fetch_array( $data )){
  84.     echo '<a href="http://www.mysite.com/files/' . $info['target'] . '">' . $info['title'] . "</a> <br>";
  85.     echo "<b>Description:</b> " . $info['description'] . " <br>";
  86.     echo "<b>Content Type:</b> " . $info['content_type'] . " <hr>";
  87. }
  88. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!