Context Navigation

source: branches/release-1_3/upload.php @ 2162

Last change on this file since 2162 was 556, checked in by z0rglub, 20 years ago

bug 53 : parse error on line 40

bug 54 : no picture extension allowed for picture upload

bug 56 : wrong error message for exceeding filesize picture

Property svn:eol-style set to native
Property svn:keywords set to Author Date Id Revision

File size: 14.3 KB

Rev	Line
[2]	1	<?php
	2	/***************************************************************************
[10]	3	* upload.php *
[2]	4	* ------------------- *
[57]	5	* application : PhpWebGallery 1.3 <http://phpwebgallery.net> *
	6	* author : Pierrick LE GALL <pierrick@z0rglub.com> *
[2]	7	* *
[57]	8	* $Id: upload.php 556 2004-10-07 21:41:09Z z0rglub $
	9	* *
[2]	10	***************************************************************************/
	11
	12	/***************************************************************************
	13	* *
	14	* This program is free software; you can redistribute it and/or modify *
	15	* it under the terms of the GNU General Public License as published by *
	16	* the Free Software Foundation; *
	17	* *
	18	***************************************************************************/
[10]	19
	20	//------------------------------------------------------------------- functions
[2]	21	// The validate_upload function checks if the image of the given path is valid.
	22	// A picture is valid when :
	23	// - width, height and filesize are not higher than the maximum
	24	// filesize authorized by the administrator
	25	// - the type of the picture is among jpg, gif and png
	26	// The function returns an array containing :
	27	// - $result['type'] contains the type of the image ('jpg', 'gif' or 'png')
	28	// - $result['error'] contains an array with the different errors
	29	// found with the picture
	30	function validate_upload( $temp_name, $my_max_file_size,
	31	$image_max_width, $image_max_height )
	32	{
[544]	33	global $conf, $lang;
[2]	34
	35	$result = array();
	36	$result['error'] = array();
	37	//echo $_FILES['picture']['name']."<br />".$temp_name;
	38	$extension = get_extension( $_FILES['picture']['name'] );
[556]	39	if ( !in_array( $extension, $conf['picture_ext'] ) )
[2]	40	{
[19]	41	array_push( $result['error'], $lang['upload_advise_filetype'] );
[2]	42	return $result;
	43	}
	44	if ( !isset( $_FILES['picture'] ) )
	45	{
	46	// do we even have a file?
[19]	47	array_push( $result['error'], "You did not upload anything!" );
[2]	48	}
	49	else if ( $_FILES['picture']['size'] > $my_max_file_size * 1024 )
	50	{
[19]	51	array_push( $result['error'],
[556]	52	$lang['upload_advise_filesize'].$my_max_file_size.' KB' );
[2]	53	}
	54	else
	55	{
	56	// check if we are allowed to upload this file_type
	57	// upload de la photo sous un nom temporaire
	58	if ( !move_uploaded_file( $_FILES['picture']['tmp_name'], $temp_name ) )
	59	{
[19]	60	array_push( $result['error'], $lang['upload_cannot_upload'] );
[2]	61	}
	62	else
	63	{
	64	$size = getimagesize( $temp_name );
	65	if ( isset( $image_max_width )
[10]	66	and $image_max_width != ""
	67	and $size[0] > $image_max_width )
[2]	68	{
[19]	69	array_push( $result['error'],
	70	$lang['upload_advise_width'].$image_max_width.' px' );
[2]	71	}
	72	if ( isset( $image_max_height )
[10]	73	and $image_max_height != ""
	74	and $size[1] > $image_max_height )
[2]	75	{
[19]	76	array_push( $result['error'],
	77	$lang['upload_advise_height'].$image_max_height.' px' );
[2]	78	}
	79	// $size[2] == 1 means GIF
	80	// $size[2] == 2 means JPG
	81	// $size[2] == 3 means PNG
[19]	82	switch ( $size[2] )
[2]	83	{
[19]	84	case 1 : $result['type'] = 'gif'; break;
	85	case 2 : $result['type'] = 'jpg'; break;
	86	case 3 : $result['type'] = 'png'; break;
	87	default :
	88	array_push( $result['error'], $lang['upload_advise_filetype'] );
[2]	89	}
	90	}
	91	}
	92	if ( sizeof( $result['error'] ) > 0 )
	93	{
	94	// destruction de l'image avec le nom temporaire
	95	@unlink( $temp_name );
	96	}
[298]	97	else
	98	{
	99	@chmod( $temp_name, 0644);
	100	}
[2]	101	return $result;
	102	}
	103	//----------------------------------------------------------- personnal include
	104	include_once( './include/init.inc.php' );
	105	//-------------------------------------------------- access authorization check
	106	check_login_authorization();
	107	check_cat_id( $_GET['cat'] );
[10]	108	if ( isset( $page['cat'] ) and is_numeric( $page['cat'] ) )
[2]	109	{
	110	check_restrictions( $page['cat'] );
	111	$result = get_cat_info( $page['cat'] );
[82]	112	$page['cat_dir'] = get_complete_dir( $page['cat'] );
[38]	113	$page['cat_site_id'] = $result['site_id'];
	114	$page['cat_name'] = $result['name'];
	115	$page['cat_uploadable'] = $result['uploadable'];
[290]	116	if ( $page['cat_site_id'] != 1
[38]	117	or !$conf['upload_available']
	118	or !$page['cat_uploadable'] )
[2]	119	{
[10]	120	echo '<div style="text-align:center;">'.$lang['upload_forbidden'].'<br />';
[26]	121	echo '<a href="'.add_session_id( './category.php' ).'">';
[10]	122	echo $lang['thumbnails'].'</a></div>';
[2]	123	exit();
	124	}
[290]	125	}
[2]	126	//----------------------------------------------------- template initialization
[290]	127	//
	128	// Start output of page
	129	//
	130	$title= $lang['upload_title'];
	131	include('include/page_header.php');
[10]	132	$handle = $vtp->Open( './template/'.$user['template'].'/upload.vtp' );
	133	initialize_template();
	134
	135	$tpl = array( 'upload_title', 'upload_username', 'mail_address', 'submit',
[26]	136	'upload_successful', 'search_return_main_page','upload_author',
	137	'upload_name','upload_creation_date','upload_comment',
	138	'mandatory' );
	139	templatize_array( $tpl, 'lang', $handle );
[2]	140
	141	$error = array();
	142	$page['upload_successful'] = false;
	143	if ( isset( $_GET['waiting_id'] ) )
	144	{
	145	$page['waiting_id'] = $_GET['waiting_id'];
	146	}
	147	//-------------------------------------------------------------- picture upload
[26]	148	// verfying fields
[10]	149	if ( isset( $_POST['submit'] ) and !isset( $_GET['waiting_id'] ) )
[2]	150	{
	151	$path = $page['cat_dir'].$_FILES['picture']['name'];
	152	if ( @is_file( $path ) )
	153	{
[26]	154	array_push( $error, $lang['upload_file_exists'] );
[2]	155	}
	156	// test de la présence des champs obligatoires
[26]	157	if ( $_FILES['picture']['name'] == '' )
[2]	158	{
[26]	159	array_push( $error, $lang['upload_filenotfound'] );
[2]	160	}
	161	if ( !ereg( "([_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)+)",
	162	$_POST['mail_address'] ) )
	163	{
[26]	164	array_push( $error, $lang['reg_err_mail_address'] );
[2]	165	}
	166	if ( $_POST['username'] == '' )
	167	{
[26]	168	array_push( $error, $lang['upload_err_username'] );
[2]	169	}
[315]	170
	171	$date_creation = '';
[26]	172	if ( $_POST['date_creation'] != '' )
	173	{
	174	list( $day,$month,$year ) = explode( '/', $_POST['date_creation'] );
	175	// int checkdate ( int month, int day, int year)
	176	if ( checkdate( $month, $day, $year ) )
	177	{
	178	// int mktime ( int hour, int minute, int second,
	179	// int month, int day, int year [, int is_dst])
	180	$date_creation = mktime( 0, 0, 0, $month, $day, $year );
	181	}
	182	else
	183	{
	184	array_push( $error, $lang['err_date'] );
	185	}
	186	}
	187	// creation of the "infos" field :
	188	// <infos author="Pierrick LE GALL" comment="my comment"
	189	// date_creation="1056891767" name="" />
	190	$xml_infos = '<infos';
	191	$xml_infos.= ' author="'.htmlspecialchars($_POST['author'],ENT_QUOTES).'"';
	192	$xml_infos.= ' comment="'.htmlspecialchars($_POST['comment'],ENT_QUOTES).'"';
	193	$xml_infos.= ' date_creation="'.$date_creation.'"';
	194	$xml_infos.= ' name="'.htmlspecialchars( $_POST['name'], ENT_QUOTES).'"';
	195	$xml_infos.= ' />';
[315]	196
	197	if ( !preg_match( '/^[a-zA-Z0-9-_.]+$/', $_FILES['picture']['name'] ) )
	198	{
	199	// reload language file with administration labels
	200	$isadmin = true;
	201	include( './language/'.$user['language'].'.php' );
	202	array_push( $error, $lang['update_wrong_dirname'] );
	203	}
[26]	204
[2]	205	if ( sizeof( $error ) == 0 )
	206	{
	207	$result = validate_upload( $path, $conf['upload_maxfilesize'],
	208	$conf['upload_maxwidth'],
	209	$conf['upload_maxheight'] );
	210	for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
	211	{
[26]	212	array_push( $error, $result['error'][$j] );
[2]	213	}
	214	}
	215
	216	if ( sizeof( $error ) == 0 )
	217	{
[10]	218	$query = 'insert into '.PREFIX_TABLE.'waiting';
[61]	219	$query.= ' (storage_category_id,file,username,mail_address,date,infos)';
	220	$query.= ' values ';
	221	$query.= '('.$page['cat'].",'".$_FILES['picture']['name']."'";
[2]	222	$query.= ",'".htmlspecialchars( $_POST['username'], ENT_QUOTES)."'";
[26]	223	$query.= ",'".$_POST['mail_address']."',".time().",'".$xml_infos."')";
[2]	224	$query.= ';';
	225	mysql_query( $query );
	226	$page['waiting_id'] = mysql_insert_id();
[85]	227	// mail notification for administrators
	228	if ( $conf['mail_notification'] )
	229	{
[150]	230	notify( 'upload' );
[85]	231	}
[2]	232	}
	233	}
	234	//------------------------------------------------------------ thumbnail upload
[10]	235	if ( isset( $_POST['submit'] ) and isset( $_GET['waiting_id'] ) )
[2]	236	{
	237	// upload of the thumbnail
	238	$query = 'select file';
[10]	239	$query.= ' from '.PREFIX_TABLE.'waiting';
[2]	240	$query.= ' where id = '.$_GET['waiting_id'];
	241	$query.= ';';
	242	$result= mysql_query( $query );
	243	$row = mysql_fetch_array( $result );
	244	$file = substr ( $row['file'], 0, strrpos ( $row['file'], ".") );
	245	$extension = get_extension( $_FILES['picture']['name'] );
	246	$path = $page['cat_dir'].'thumbnail/';
[20]	247	$path.= $conf['prefix_thumbnail'].$file.'.'.$extension;
[2]	248	$result = validate_upload( $path, $conf['upload_maxfilesize'],
	249	$conf['upload_maxwidth_thumbnail'],
	250	$conf['upload_maxheight_thumbnail'] );
	251	for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
	252	{
[26]	253	array_push( $error, $result['error'][$j] );
[2]	254	}
	255	if ( sizeof( $error ) == 0 )
	256	{
[10]	257	$query = 'update '.PREFIX_TABLE.'waiting';
[2]	258	$query.= " set tn_ext = '".$extension."'";
	259	$query.= ' where id = '.$_GET['waiting_id'];
	260	$query.= ';';
	261	mysql_query( $query );
	262	$page['upload_successful'] = true;
	263	}
	264	}
	265
	266	if ( !$page['upload_successful'] )
	267	{
	268	$vtp->addSession( $handle, 'upload_not_successful' );
	269	//-------------------------------------------------------------- errors display
	270	if ( sizeof( $error ) != 0 )
	271	{
	272	$vtp->addSession( $handle, 'errors' );
	273	for ( $i = 0; $i < sizeof( $error ); $i++ )
	274	{
	275	$vtp->addSession( $handle, 'li' );
	276	$vtp->setVar( $handle, 'li.li', $error[$i] );
	277	$vtp->closeSession( $handle, 'li' );
	278	}
	279	$vtp->closeSession( $handle, 'errors' );
	280	}
	281	//----------------------------------------------------------------- form action
	282	$url = './upload.php?cat='.$page['cat'].'&expand='.$_GET['expand'];
	283	if ( isset( $page['waiting_id'] ) )
	284	{
	285	$url.= '&waiting_id='.$page['waiting_id'];
	286	}
[26]	287	$vtp->setGlobalVar( $handle, 'form_action', add_session_id( $url ) );
[2]	288	//--------------------------------------------------------------------- advises
	289	if ( $conf['upload_maxfilesize'] != '' )
	290	{
	291	$vtp->addSession( $handle, 'advise' );
	292	$content = $lang['upload_advise_filesize'];
	293	$content.= $conf['upload_maxfilesize'].' KB';
	294	$vtp->setVar( $handle, 'advise.content', $content );
	295	$vtp->closeSession( $handle, 'advise' );
	296	}
	297	if ( isset( $page['waiting_id'] ) )
	298	{
	299	$advise_title=$lang['upload_advise_thumbnail'].$_FILES['picture']['name'];
	300	$vtp->setGlobalVar( $handle, 'advise_title', $advise_title );
	301
	302	if ( $conf['upload_maxwidth_thumbnail'] != '' )
	303	{
	304	$vtp->addSession( $handle, 'advise' );
	305	$content = $lang['upload_advise_width'];
	306	$content.= $conf['upload_maxwidth_thumbnail'].' px';
	307	$vtp->setVar( $handle, 'advise.content', $content );
	308	$vtp->closeSession( $handle, 'advise' );
	309	}
	310	if ( $conf['upload_maxheight_thumbnail'] != '' )
	311	{
	312	$vtp->addSession( $handle, 'advise' );
	313	$content = $lang['upload_advise_height'];
	314	$content.= $conf['upload_maxheight_thumbnail'].' px';
	315	$vtp->setVar( $handle, 'advise.content', $content );
	316	$vtp->closeSession( $handle, 'advise' );
	317	}
	318	}
	319	else
	320	{
	321	$advise_title = $lang['upload_advise'];
	322	$advise_title.= get_cat_display_name( $page['cat_name'], ' - ',
	323	'font-style:italic;' );
	324	$vtp->setGlobalVar( $handle, 'advise_title', $advise_title );
	325
	326	if ( $conf['upload_maxwidth'] != '' )
	327	{
	328	$vtp->addSession( $handle, 'advise' );
	329	$content = $lang['upload_advise_width'];
	330	$content.= $conf['upload_maxwidth'].' px';
	331	$vtp->setVar( $handle, 'advise.content', $content );
	332	$vtp->closeSession( $handle, 'advise' );
	333	}
	334	if ( $conf['upload_maxheight'] != '' )
	335	{
	336	$vtp->addSession( $handle, 'advise' );
	337	$content = $lang['upload_advise_height'];
	338	$content.= $conf['upload_maxheight'].' px';
	339	$vtp->setVar( $handle, 'advise.content', $content );
	340	$vtp->closeSession( $handle, 'advise' );
	341	}
	342	}
	343	$vtp->addSession( $handle, 'advise' );
	344	$content = $lang['upload_advise_filetype'];
	345	$vtp->setVar( $handle, 'advise.content', $content );
	346	$vtp->closeSession( $handle, 'advise' );
	347	//----------------------------------------- optionnal username and mail address
	348	if ( !isset( $page['waiting_id'] ) )
	349	{
	350	$vtp->addSession( $handle, 'fields' );
[26]	351	// username
	352	if ( isset( $_POST['username'] ) ) $username = $_POST['username'];
	353	else $username = $user['username'];
	354	$vtp->setVar( $handle, 'fields.username', $username );
	355	// mail address
	356	if ( isset( $_POST['mail_address'] ) )$mail_address=$_POST['mail_address'];
	357	else $mail_address=$user['mail_address'];
	358	$vtp->setGlobalVar( $handle, 'user_mail_address',$user['mail_address'] );
	359	// name of the picture
[290]	360	if (isset($_POST['name']))
[26]	361	$vtp->setVar( $handle, 'fields.name', $_POST['name'] );
	362	// author
[290]	363	if (isset($_POST['author']))
[26]	364	$vtp->setVar( $handle, 'fields.author', $_POST['author'] );
	365	// date of creation
[290]	366	if (isset($_POST['date_creation']))
[26]	367	$vtp->setVar( $handle, 'fields.date_creation', $_POST['date_creation'] );
	368	// comment
[290]	369	if (isset($_POST['comment']))
[26]	370	$vtp->setVar( $handle, 'fields.comment', $_POST['comment'] );
	371
[2]	372	$vtp->closeSession( $handle, 'fields' );
[26]	373
	374	$vtp->addSession( $handle, 'note' );
	375	$vtp->closeSession( $handle, 'note' );
[2]	376	}
	377	$vtp->closeSession( $handle, 'upload_not_successful' );
	378	}
	379	else
	380	{
	381	$vtp->addSession( $handle, 'upload_successful' );
	382	$vtp->closeSession( $handle, 'upload_successful' );
	383	}
	384	//----------------------------------------------------- return to main page url
	385	$url = './category.php?cat='.$page['cat'].'&expand='.$_GET['expand'];
	386	$vtp->setGlobalVar( $handle, 'return_url', add_session_id( $url ) );
	387	//----------------------------------------------------------- html code display
[350]	388	$output.= $vtp->Display( $handle, 0 );
[290]	389	include('include/page_tail.php');
[350]	390	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: