source: trunk/upload.php @ 4423

Last change on this file since 4423 was 4325, checked in by nikrou, 14 years ago

Feature 1244 resolved
Replace all mysql functions in core code by ones independant of database engine

Fix small php code synxtax : hash must be accessed with [ ] and not { }.

  • Property svn:eol-style set to LF
File size: 14.1 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008-2009 Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
23
24define('PHPWG_ROOT_PATH','./');
25
26// +-----------------------------------------------------------------------+
27// | Includes                                                              |
28// +-----------------------------------------------------------------------+
29include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
30
31// +-----------------------------------------------------------------------+
32// | Check Access and exit when user status is not ok                      |
33// +-----------------------------------------------------------------------+
34check_status($conf['upload_user_access']);
35
36$username = !empty($_POST['username']) ? $_POST['username']:(is_classic_user() ? $user['username'] : '');
37$mail_address = !empty($_POST['mail_address']) ? $_POST['mail_address'] : (is_classic_user() ? $user['email'] : '');
38$name = !empty($_POST['name']) ? $_POST['name'] : '';
39$author = !empty($_POST['author']) ? $_POST['author'] : (is_classic_user() ? $user['username'] : '');
40$date_creation = !empty($_POST['date_creation']) ? $_POST['date_creation'] : '';
41$comment = !empty($_POST['comment']) ? $_POST['comment'] : '';
42
43//------------------------------------------------------------------- functions
44// The validate_upload function checks if the image of the given path is valid.
45// A picture is valid when :
46//     - width, height and filesize are not higher than the maximum
47//       filesize authorized by the administrator
48//     - the type of the picture is among jpg, gif and png
49// The function returns an array containing :
50//     - $result['type'] contains the type of the image ('jpg', 'gif' or 'png')
51//     - $result['error'] contains an array with the different errors
52//       found with the picture
53function validate_upload( $temp_name, $my_max_file_size,
54                          $image_max_width, $image_max_height )
55{
56  global $conf, $lang, $page, $mail_address;
57
58  $result = array();
59  $result['error'] = array();
60  //echo $_FILES['picture']['name']."<br />".$temp_name;
61  $extension = get_extension( $_FILES['picture']['name'] );
62  if (!in_array($extension, $conf['picture_ext']))
63  {
64    array_push( $result['error'], l10n('upload_advise_filetype') );
65    return $result;
66  }
67  if ( !isset( $_FILES['picture'] ) )
68  {
69    // do we even have a file?
70    array_push( $result['error'], "You did not upload anything!" );
71  }
72  else if ( $_FILES['picture']['size'] > $my_max_file_size * 1024 )
73  {
74    array_push( $result['error'],
75                l10n('upload_advise_filesize').$my_max_file_size.' KB' );
76  }
77  else
78  {
79    // check if we are allowed to upload this file_type
80    // upload de la photo sous un nom temporaire
81    if ( !move_uploaded_file( $_FILES['picture']['tmp_name'], $temp_name ) )
82    {
83      array_push( $result['error'], l10n('upload_cannot_upload') );
84    }
85    else
86    {
87      $size = getimagesize( $temp_name );
88      if ( isset( $image_max_width )
89           and $image_max_width != ""
90           and $size[0] > $image_max_width )
91      {
92        array_push( $result['error'],
93                    l10n('upload_advise_width').$image_max_width.' px' );
94      }
95      if ( isset( $image_max_height )
96           and $image_max_height != ""
97           and $size[1] > $image_max_height )
98      {
99        array_push( $result['error'],
100                    l10n('upload_advise_height').$image_max_height.' px' );
101      }
102      // $size[2] == 1 means GIF
103      // $size[2] == 2 means JPG
104      // $size[2] == 3 means PNG
105      switch ( $size[2] )
106      {
107      case 1 : $result['type'] = 'gif'; break;
108      case 2 : $result['type'] = 'jpg'; break;
109      case 3 : $result['type'] = 'png'; break;
110      default :
111        array_push( $result['error'], l10n('upload_advise_filetype') );
112      }
113    }
114  }
115  if ( sizeof( $result['error'] ) > 0 )
116  {
117    // destruction de l'image avec le nom temporaire
118    @unlink( $temp_name );
119  }
120  else
121  {
122    @chmod( $temp_name, 0644);
123  }
124
125  //------------------------------------------------------------ log informations
126  pwg_log();
127
128  return $result;
129}
130
131//-------------------------------------------------- access authorization check
132if (isset($_POST['category']) and is_numeric($_POST['category']))
133{
134  $page['category'] = $_POST['category'];
135}
136else
137if (isset($_GET['cat']) and is_numeric($_GET['cat']))
138{
139  $page['category'] = $_GET['cat'];
140}
141else
142{
143  $page['category'] = null;
144}
145
146if (! empty($page['category']))
147{
148  check_restrictions($page['category']);
149  $category = get_cat_info($page['category']);
150  $category['cat_dir'] = get_complete_dir($page['category']);
151
152  if (url_is_remote($category['cat_dir']) or !$category['uploadable'])
153  {
154    page_forbidden('upload not allowed');
155  }
156}
157else
158{
159  if (isset($_POST['submit']))
160  {
161    // $page['category'] may be set by a futur plugin but without it
162    bad_request('invalid parameters');
163  }
164  else
165  {
166    $category = null;
167  }
168}
169
170$error = array();
171$page['upload_successful'] = false;
172if ( isset( $_GET['waiting_id'] ) )
173{
174  $page['waiting_id'] = $_GET['waiting_id'];
175}
176
177//-------------------------------------------------------------- picture upload
178// verfying fields
179if ( isset( $_POST['submit'] ) and !isset( $_GET['waiting_id'] ) )
180{
181  $path = $category['cat_dir'].$_FILES['picture']['name'];
182  if ( @is_file( $path ) )
183  {
184    array_push( $error, l10n('upload_file_exists') );
185  }
186  // test de la présence des champs obligatoires
187  if ( empty($_FILES['picture']['name']))
188  {
189    array_push( $error, l10n('upload_filenotfound') );
190  }
191  if ( !preg_match( '/([_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)+)/',
192             $_POST['mail_address'] ) )
193  {
194    array_push( $error, l10n('reg_err_mail_address') );
195  }
196  if ( empty($_POST['username']) )
197  {
198    array_push( $error, l10n('upload_err_username') );
199  }
200
201  $date_creation = '';
202  if ( !empty($_POST['date_creation']) )
203  {
204    list( $day,$month,$year ) = explode( '/', $_POST['date_creation'] );
205    // int checkdate ( int month, int day, int year)
206    if (checkdate($month, $day, $year))
207    {
208      $date_creation = $year.'-'.$month.'-'.$day;
209    }
210    else
211    {
212      array_push( $error, l10n('err_date') );
213    }
214  }
215  // creation of the "infos" field :
216  // <infos author="Pierrick LE GALL" comment="my comment"
217  //        date_creation="2004-08-14" name="" />
218  $xml_infos = '<infos ';
219  $xml_infos.= encodeAttribute('author', $_POST['author']);
220  $xml_infos.= encodeAttribute('comment', $_POST['comment']);
221  $xml_infos.= encodeAttribute('date_creation', $date_creation);
222  $xml_infos.= encodeAttribute('name', $_POST['name']);
223  $xml_infos.= ' />';
224
225  if ( !preg_match( '/^[a-zA-Z0-9-_.]+$/', $_FILES['picture']['name'] ) )
226  {
227    array_push( $error, l10n('update_wrong_dirname') );
228  }
229
230  if ( sizeof( $error ) == 0 )
231  {
232    $result = validate_upload( $path, $conf['upload_maxfilesize'],
233                               $conf['upload_maxwidth'],
234                               $conf['upload_maxheight']  );
235    for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
236    {
237      array_push( $error, $result['error'][$j] );
238    }
239  }
240
241  if ( sizeof( $error ) == 0 )
242  {
243    $query = 'insert into '.WAITING_TABLE;
244    $query.= ' (storage_category_id,file,username,mail_address,date,infos)';
245    $query.= ' values ';
246    $query.= '('.$page['category'].",'".$_FILES['picture']['name']."'";
247    $query.= ",'".htmlspecialchars( $_POST['username'], ENT_QUOTES)."'";
248    $query.= ",'".$_POST['mail_address']."',".time().",'".$xml_infos."')";
249    $query.= ';';
250    pwg_query( $query );
251    $page['waiting_id'] = pwg_db_insert_id();
252
253    if ($conf['email_admin_on_picture_uploaded'])
254    {
255      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
256
257      $waiting_url = get_absolute_root_url().'admin.php?page=upload';
258
259      $keyargs_content = array
260      (
261        get_l10n_args('Category: %s', get_cat_display_name($category['upper_names'], null, false)),
262        get_l10n_args('Picture name: %s', $_FILES['picture']['name']),
263        get_l10n_args('User: %s', $_POST['username']),
264        get_l10n_args('Email: %s', $_POST['mail_address']),
265        get_l10n_args('Picture name: %s', $_POST['name']),
266        get_l10n_args('Author: %s', $_POST['author']),
267        get_l10n_args('Creation date: %s', $_POST['date_creation']),
268        get_l10n_args('Comment: %s', $_POST['comment']),
269        get_l10n_args('', ''),
270        get_l10n_args('Waiting page: %s', $waiting_url)
271      );
272
273      pwg_mail_notification_admins
274      (
275        get_l10n_args('Picture uploaded by %s', $_POST['username']),
276        $keyargs_content
277      );
278    }
279  }
280}
281
282//------------------------------------------------------------ thumbnail upload
283if ( isset( $_POST['submit'] ) and isset( $_GET['waiting_id'] ) )
284{
285  // upload of the thumbnail
286  $query = 'select file';
287  $query.= ' from '.WAITING_TABLE;
288  $query.= ' where id = '.$_GET['waiting_id'];
289  $query.= ';';
290  $result= pwg_query( $query );
291  $row = pwg_db_fetch_assoc( $result );
292  $file = substr ( $row['file'], 0, strrpos ( $row['file'], ".") );
293  $extension = get_extension( $_FILES['picture']['name'] );
294
295  if (($path = mkget_thumbnail_dir($category['cat_dir'], $error)) != false)
296  {
297    $path.= '/'.$conf['prefix_thumbnail'].$file.'.'.$extension;
298    $result = validate_upload( $path, $conf['upload_maxfilesize'],
299                               $conf['upload_maxwidth_thumbnail'],
300                               $conf['upload_maxheight_thumbnail']  );
301    for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
302    {
303      array_push( $error, $result['error'][$j] );
304    }
305  }
306
307  if ( sizeof( $error ) == 0 )
308  {
309    $query = 'update '.WAITING_TABLE;
310    $query.= " set tn_ext = '".$extension."'";
311    $query.= ' where id = '.$_GET['waiting_id'];
312    $query.= ';';
313    pwg_query( $query );
314    $page['upload_successful'] = true;
315  }
316}
317
318//
319// Start output of page
320//
321$title= l10n('upload_title');
322$page['body_id'] = 'theUploadPage';
323include(PHPWG_ROOT_PATH.'include/page_header.php');
324$template->set_filenames(array('upload'=>'upload.tpl'));
325
326// Load category list
327$query = '
328SELECT
329  id, name, uppercats, global_rank
330FROM '.CATEGORIES_TABLE.' INNER JOIN '.USER_CACHE_CATEGORIES_TABLE.'
331  ON id = cat_id and user_id = '.$user['id'].'
332WHERE
333  uploadable = \'true\'
334  '.get_sql_condition_FandF
335    (
336      array
337        (
338          'visible_categories' => 'id',
339        ),
340      'AND'
341    ).'
342;';
343display_select_cat_wrapper($query, array($page['category']), 'categories');
344
345$u_form = PHPWG_ROOT_PATH.'upload.php?cat='.$page['category'];
346if ( isset( $page['waiting_id'] ) )
347{
348$u_form.= '&amp;waiting_id='.$page['waiting_id'];
349}
350
351if ( isset( $page['waiting_id'] ) )
352{
353  $advise_title = l10n('upload_advise_thumbnail').$_FILES['picture']['name'];
354}
355else
356{
357  $advise_title = l10n('Choose an image');
358}
359
360$template->assign(
361  array(
362    'ADVISE_TITLE' => $advise_title,
363    'NAME' => stripslashes($username),
364    'EMAIL' => $mail_address,
365    'NAME_IMG' => $name,
366    'AUTHOR_IMG' => stripslashes($author),
367    'DATE_IMG' => $date_creation,
368    'COMMENT_IMG' => $comment,
369
370    'F_ACTION' => $u_form,
371
372    'U_RETURN' => make_index_url(array('category' => $category)),
373    )
374  );
375
376$template->assign('errors', $error);
377$template->assign('UPLOAD_SUCCESSFUL', $page['upload_successful'] );
378
379if ( !$page['upload_successful'] )
380{
381//--------------------------------------------------------------------- advises
382  if ( !empty($conf['upload_maxfilesize']) )
383  {
384    $content = l10n('upload_advise_filesize');
385    $content.= $conf['upload_maxfilesize'].' KB';
386    $template->append('advises', $content);
387  }
388
389  if ( isset( $page['waiting_id'] ) )
390  {
391    if ( $conf['upload_maxwidth_thumbnail'] != '' )
392    {
393      $content = l10n('upload_advise_width');
394      $content.= $conf['upload_maxwidth_thumbnail'].' px';
395      $template->append('advises', $content);
396    }
397    if ( $conf['upload_maxheight_thumbnail'] != '' )
398    {
399      $content = l10n('upload_advise_height');
400      $content.= $conf['upload_maxheight_thumbnail'].' px';
401      $template->append('advises', $content);
402    }
403  }
404  else
405  {
406    if ( $conf['upload_maxwidth'] != '' )
407    {
408      $content = l10n('upload_advise_width');
409      $content.= $conf['upload_maxwidth'].' px';
410      $template->append('advises', $content);
411    }
412    if ( $conf['upload_maxheight'] != '' )
413    {
414      $content = l10n('upload_advise_height');
415      $content.= $conf['upload_maxheight'].' px';
416      $template->append('advises', $content);
417    }
418  }
419  $template->append('advises', l10n('upload_advise_filetype'));
420
421//----------------------------------------- optionnal username and mail address
422  if ( !isset( $page['waiting_id'] ) )
423  {
424    $template->assign('SHOW_FORM_FIELDS', true);
425  }
426}
427
428//----------------------------------------------------------- html code display
429$template->parse('upload');
430include(PHPWG_ROOT_PATH.'include/page_tail.php');
431?>
Note: See TracBrowser for help on using the repository browser.