StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<ul> <li>I don't recommend you handle files with its extension. <strong>It can be camouflaged</strong> easily.<br> Also <code>$_FILES['UserPic']['type']</code> isn't dependable.</li> <li>Under PHP Version <strong>5.4.1</strong>, there are serious security holes concerning <strong>$_FILES</strong>. <ul> <li>Directory Traversal Attack</li> <li><strong>$_FILES</strong> Collapse Attack</li> </ul></li> </ul> <p>You should do like this:</p> <pre><code><?php // Configure $upload_key = 'UserPic'; $max_filesize = 2097152; // Bytes $save_directory = '/home5/username/public_html/Project/Users/Images'; if (version_compare(PHP_VERSION, '5.4.1') < 0) { die('This PHP Version has serious security hole concerning $_FILES.'); } if (isset($_FILES[$upload_key])) { try { $error = $_FILES[$upload_key]['error']; if (is_array($error)) { throw new Exception('This script can\'t accept multiple files'); } switch ($error) { case UPLOAD_ERR_INI_SIZE: throw new Exception('Exceeded upload_max_filesize'); case UPLOAD_ERR_FORM_SIZE: throw new Exception('Exceeded MAX_FILE_SIZE'); case UPLOAD_ERR_PARTIAL: throw new Exception('Incomplete file uploaded'); case UPLOAD_ERR_NO_FILE: throw new Exception('No file uploaded'); case UPLOAD_ERR_NO_TMP_DIR: throw new Exception('No tmp directory'); case UPLOAD_ERR_CANT_WRITE: throw new Exception('Couldn\'t write data'); case UPLOAD_ERR_EXTENSION: throw new Exception('Extension error'); } $name = $_FILES[$upload_key]['name']; $tmp_name = $_FILES[$upload_key]['tmp_name']; $size = $_FILES[$upload_key]['size']; if ($name === '') { throw new Exception('Invalid filename'); } if ($size > $max_filesize) { throw new Exception(sprintf('Exceeded %d bytes limit', $max_filesize)); } if (!is_uploaded_file($tmp_name)) { throw new Exception('Not an uploaded file'); } $finfo = new finfo(FILEINFO_MIME); $type = $finfo->file($tmp_name); if ($type === false) { throw new Exception('Failed to get MimeType'); } if (substr($type, 'image/jpeg') !== 0) { throw new Exception('Only JPEG images available'); } if (!isset($_REQUEST['email']) || !is_string($email = $_REQUEST['email']) || $email === '') { throw new Exception('E-mail address required'); } if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) { throw new Exception('Invalid E-mail address'); } $new_name = $save_directory.'/'.$email.'.jpg'; if (is_file($new_name)) { throw new Exception('The file already exists'); } if (!@move_uploaded_file($tmp_name, $new_name)) { throw new Exception('Failed to move uploaded file'); } $msg = "File successfully uploaded as {$new_name}"; } catch (Exception $e) { $msg = 'Error: '.$e->getMessage(); } } else { $msg = 'No file sent'; } echo json_encode($msg); </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload