0

I am making basic photo hosting, just to upload images and resize them.

Everything works fine, I also have added accept="image/*" for my File upload button, but it is still possible to upload other files. So in my PHP code I check whether it is image or other file, so if it is not image, I basically remove it. But I have a problem. If user uploads "index.php" file, my index file on server will be overwritten and as my code should do, it removes "index.php" so. basically self destruction.

Is there way to restrict file upload before file is actually uploaded on server?

Or at least, is there way to change root directory of file that is uploaded?

I don't think that JavaScript or HTML restriction will do anything, because "hackermans" can change it easily in inspect element.

Improve this question
4
  • If you handle file uploads correctly they will be placed in a temporary directory. Your index.php file won't get overwritten. Commented Nov 17, 2016 at 16:09
  • possible duplicate of stackoverflow.com/questions/9153224/… or stackoverflow.com/questions/7322137/… Commented Nov 17, 2016 at 16:10
  • ...and then store the uploaded files in it's own folder, like /uploads/. Commented Nov 17, 2016 at 16:10
  • Look at me, Googled that title of yours and found this. Why were you unable to find this? Commented Nov 17, 2016 at 16:11

1 Answer 1

Reset to default
0 
class Upload {

private $destinationPath;
private $errorMessage;
private $extensions;
private $allowAll;
private $maxSize;
private $uploadName;
private $seqnence;
private $imageSeq;
public $name = 'Uploader';
public $useTable = false;

function setDir($path) {
    $this->destinationPath = $path;
    $this->allowAll = false;
}

function allowAllFormats() {
    $this->allowAll = true;
}

function setMaxSize($sizeMB) {
    $this->maxSize = $sizeMB * (1024 * 1024);
}

function setExtensions($options) {
    $this->extensions = $options;
}

function setSameFileName() {
    $this->sameFileName = true;
    $this->sameName = true;
}

function getExtension($string) {
    $ext = "";
    try {
        $parts = explode(".", $string);
        $ext = strtolower($parts[count($parts) - 1]);
    } catch (Exception $c) {
        $ext = "";
    }
    return $ext;
}

function setMessage($message) {
    $this->errorMessage = $message;
}

function getMessage() {
    return $this->errorMessage;
}

function getUploadName() {
    return $this->uploadName;
}

function setSequence($seq) {
    $this->imageSeq = $seq;
}

function getRandom() {
    return strtotime(date('Y-m-d H:i:s')) . rand(1111, 9999) . rand(11, 99) . rand(111, 999);
}

function sameName($true) {
    $this->sameName = $true;
}

function uploadFile($fileBrowse) {
    $result = false;
    $size = $_FILES[$fileBrowse]["size"];
    $name = $_FILES[$fileBrowse]["name"];
    $ext = $this->getExtension($name);
    if (!is_dir($this->destinationPath)) {
        $this->setMessage("Destination folder is not a directory ");
    } else if (!is_writable($this->destinationPath)) {
        $this->setMessage("Destination is not writable !");
    } else if (empty($name)) {
        $this->setMessage("File not selected ");
    } else if ($size > $this->maxSize) {
        $this->setMessage("Too large file !");
    } else if ($this->allowAll || (!$this->allowAll && in_array($ext, $this->extensions))) {

        if ($this->sameName == false) {
            $this->uploadName = $this->imageSeq . "-" . substr(md5(rand(1111, 9999)), 0, 8) . $this->getRandom() . rand(1111, 1000) . rand(99, 9999) . "." . $ext;
        } else {
            $this->uploadName = $name;
        }
        if (move_uploaded_file($_FILES[$fileBrowse]["tmp_name"], $this->destinationPath . $this->uploadName)) {
            $result = true;
        } else {
            $this->setMessage("Upload failed , try later !");
        }
    } else {
        $this->setMessage("Invalid file format !");
    }
    return $result;
}

function deleteUploaded() {
    unlink($this->destinationPath . $this->uploadName);
}

}

How to use it : 

function callMe(){
                $uploader   =   new Upload();
                $directory = "NAMEDIR"
                if(!is_dir($directory)){
                    mkdir($directory);
                }
                $uploader->setDir($directory);
                $uploader->setExtensions(array('jpg','jpeg','png','gif'));  //allowed extensions list//
                $uploader->setMaxSize(.5);                          //set max file size to be allowed in MB//
                $uploader->sameName(true);
                if($uploader->uploadFile('file')){   //txtFile is the filebrowse element name //     
                    $image  =   $uploader->getUploadName(); //get uploaded file name, renames on upload//

                    echo json_encode(array("success"=>true,"message"=>"Success Add","image"=>$directory.$image,"image_upload"=>$image));

                }else{//upload failed
                    echo json_encode(array("success"=>false,"message"=>$uploader->getMessage(),"image"=>""));
                }
            }
            callMe();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.