source: trunk/upload.php @ 2777

Last change on this file since 2777 was 2624, checked in by rub, 16 years ago

Resolved issue 0000872: [Butterfly2 and 2.0RC1] Error on picture upload by visitor and admin

  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
File size: 14.1 KB
RevLine 
[2]1<?php
[354]2// +-----------------------------------------------------------------------+
[2297]3// | Piwigo - a PHP based picture gallery                                  |
4// +-----------------------------------------------------------------------+
5// | Copyright(C) 2008      Piwigo Team                  http://piwigo.org |
6// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
7// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
8// +-----------------------------------------------------------------------+
9// | This program is free software; you can redistribute it and/or modify  |
10// | it under the terms of the GNU General Public License as published by  |
11// | the Free Software Foundation                                          |
12// |                                                                       |
13// | This program is distributed in the hope that it will be useful, but   |
14// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
15// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
16// | General Public License for more details.                              |
17// |                                                                       |
18// | You should have received a copy of the GNU General Public License     |
19// | along with this program; if not, write to the Free Software           |
20// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
21// | USA.                                                                  |
22// +-----------------------------------------------------------------------+
[2325]23
[364]24define('PHPWG_ROOT_PATH','./');
[345]25
[2325]26// +-----------------------------------------------------------------------+
27// | Includes                                                              |
28// +-----------------------------------------------------------------------+
29include_once(PHPWG_ROOT_PATH.'include/common.inc.php');
[1850]30
[2325]31// +-----------------------------------------------------------------------+
32// | Check Access and exit when user status is not ok                      |
33// +-----------------------------------------------------------------------+
34check_status($conf['upload_user_access']);
[1631]35
[2325]36$username = !empty($_POST['username']) ? $_POST['username']:(is_classic_user() ? $user['username'] : '');
37$mail_address = !empty($_POST['mail_address']) ? $_POST['mail_address'] : (is_classic_user() ? $user['email'] : '');
38$name = !empty($_POST['name']) ? $_POST['name'] : '';
39$author = !empty($_POST['author']) ? $_POST['author'] : (is_classic_user() ? $user['username'] : '');
40$date_creation = !empty($_POST['date_creation']) ? $_POST['date_creation'] : '';
41$comment = !empty($_POST['comment']) ? $_POST['comment'] : '';
42
[10]43//------------------------------------------------------------------- functions
[2]44// The validate_upload function checks if the image of the given path is valid.
45// A picture is valid when :
46//     - width, height and filesize are not higher than the maximum
47//       filesize authorized by the administrator
48//     - the type of the picture is among jpg, gif and png
49// The function returns an array containing :
50//     - $result['type'] contains the type of the image ('jpg', 'gif' or 'png')
51//     - $result['error'] contains an array with the different errors
52//       found with the picture
53function validate_upload( $temp_name, $my_max_file_size,
54                          $image_max_width, $image_max_height )
55{
[1631]56  global $conf, $lang, $page, $mail_address;
57
[2]58  $result = array();
59  $result['error'] = array();
60  //echo $_FILES['picture']['name']."<br />".$temp_name;
61  $extension = get_extension( $_FILES['picture']['name'] );
[585]62  if (!in_array($extension, $conf['picture_ext']))
[2]63  {
[1631]64    array_push( $result['error'], l10n('upload_advise_filetype') );
[2]65    return $result;
66  }
67  if ( !isset( $_FILES['picture'] ) )
68  {
69    // do we even have a file?
[19]70    array_push( $result['error'], "You did not upload anything!" );
[2]71  }
72  else if ( $_FILES['picture']['size'] > $my_max_file_size * 1024 )
73  {
[19]74    array_push( $result['error'],
[1631]75                l10n('upload_advise_filesize').$my_max_file_size.' KB' );
[2]76  }
77  else
78  {
79    // check if we are allowed to upload this file_type
80    // upload de la photo sous un nom temporaire
81    if ( !move_uploaded_file( $_FILES['picture']['tmp_name'], $temp_name ) )
82    {
[1631]83      array_push( $result['error'], l10n('upload_cannot_upload') );
[2]84    }
85    else
86    {
87      $size = getimagesize( $temp_name );
88      if ( isset( $image_max_width )
[10]89           and $image_max_width != ""
90           and $size[0] > $image_max_width )
[2]91      {
[19]92        array_push( $result['error'],
[1631]93                    l10n('upload_advise_width').$image_max_width.' px' );
[2]94      }
95      if ( isset( $image_max_height )
[10]96           and $image_max_height != ""
97           and $size[1] > $image_max_height )
[2]98      {
[19]99        array_push( $result['error'],
[1631]100                    l10n('upload_advise_height').$image_max_height.' px' );
[2]101      }
102      // $size[2] == 1 means GIF
103      // $size[2] == 2 means JPG
104      // $size[2] == 3 means PNG
[19]105      switch ( $size[2] )
[2]106      {
[19]107      case 1 : $result['type'] = 'gif'; break;
108      case 2 : $result['type'] = 'jpg'; break;
109      case 3 : $result['type'] = 'png'; break;
110      default :
[2265]111        array_push( $result['error'], l10n('upload_advise_filetype') );
[2]112      }
113    }
114  }
115  if ( sizeof( $result['error'] ) > 0 )
116  {
117    // destruction de l'image avec le nom temporaire
118    @unlink( $temp_name );
119  }
[345]120  else
121  {
[587]122    @chmod( $temp_name, 0644);
[345]123  }
[1631]124
125  //------------------------------------------------------------ log informations
[1843]126  pwg_log();
[1631]127
[2]128  return $result;
[1631]129}
[345]130
[2]131//-------------------------------------------------- access authorization check
[2325]132if (isset($_POST['category']) and is_numeric($_POST['category']))
133{
134  $page['category'] = $_POST['category'];
135}
136else
[2033]137if (isset($_GET['cat']) and is_numeric($_GET['cat']))
[2]138{
[1843]139  $page['category'] = $_GET['cat'];
[1036]140}
[2325]141else
142{
143  $page['category'] = null;
144}
[1036]145
[2325]146if (! empty($page['category']))
[1036]147{
[2325]148  check_restrictions($page['category']);
149  $category = get_cat_info($page['category']);
150  $category['cat_dir'] = get_complete_dir($page['category']);
[2265]151
[1861]152  if (url_is_remote($category['cat_dir']) or !$category['uploadable'])
[667]153  {
[2265]154    page_forbidden('upload not allowed');
[667]155  }
[2]156}
[2325]157else
158{
159  if (isset($_POST['submit']))
160  {
161    // $page['category'] may be set by a futur plugin but without it
162    bad_request('invalid parameters');
163  }
164  else
165  {
166    $category = null;
167  }
[2033]168}
[10]169
[2]170$error = array();
171$page['upload_successful'] = false;
172if ( isset( $_GET['waiting_id'] ) )
173{
174  $page['waiting_id'] = $_GET['waiting_id'];
175}
[2325]176
[2]177//-------------------------------------------------------------- picture upload
[26]178// verfying fields
[10]179if ( isset( $_POST['submit'] ) and !isset( $_GET['waiting_id'] ) )
[2]180{
[1861]181  $path = $category['cat_dir'].$_FILES['picture']['name'];
[2]182  if ( @is_file( $path ) )
183  {
[1631]184    array_push( $error, l10n('upload_file_exists') );
[2]185  }
186  // test de la présence des champs obligatoires
[369]187  if ( empty($_FILES['picture']['name']))
[2]188  {
[1631]189    array_push( $error, l10n('upload_filenotfound') );
[2]190  }
191  if ( !ereg( "([_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)+)",
192             $_POST['mail_address'] ) )
193  {
[1631]194    array_push( $error, l10n('reg_err_mail_address') );
[2]195  }
[369]196  if ( empty($_POST['username']) )
[2]197  {
[1631]198    array_push( $error, l10n('upload_err_username') );
[2]199  }
[2265]200
[345]201  $date_creation = '';
[369]202  if ( !empty($_POST['date_creation']) )
[26]203  {
204    list( $day,$month,$year ) = explode( '/', $_POST['date_creation'] );
205    // int checkdate ( int month, int day, int year)
[488]206    if (checkdate($month, $day, $year))
[26]207    {
[488]208      $date_creation = $year.'-'.$month.'-'.$day;
[26]209    }
210    else
211    {
[1631]212      array_push( $error, l10n('err_date') );
[26]213    }
214  }
215  // creation of the "infos" field :
216  // <infos author="Pierrick LE GALL" comment="my comment"
[488]217  //        date_creation="2004-08-14" name="" />
[2485]218  $xml_infos = '<infos ';
[1058]219  $xml_infos.= encodeAttribute('author', $_POST['author']);
220  $xml_infos.= encodeAttribute('comment', $_POST['comment']);
221  $xml_infos.= encodeAttribute('date_creation', $date_creation);
222  $xml_infos.= encodeAttribute('name', $_POST['name']);
[26]223  $xml_infos.= ' />';
[345]224
225  if ( !preg_match( '/^[a-zA-Z0-9-_.]+$/', $_FILES['picture']['name'] ) )
226  {
[1631]227    array_push( $error, l10n('update_wrong_dirname') );
[345]228  }
[2265]229
[2]230  if ( sizeof( $error ) == 0 )
231  {
232    $result = validate_upload( $path, $conf['upload_maxfilesize'],
233                               $conf['upload_maxwidth'],
234                               $conf['upload_maxheight']  );
235    for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
236    {
[26]237      array_push( $error, $result['error'][$j] );
[2]238    }
239  }
240
241  if ( sizeof( $error ) == 0 )
242  {
[369]243    $query = 'insert into '.WAITING_TABLE;
[61]244    $query.= ' (storage_category_id,file,username,mail_address,date,infos)';
245    $query.= ' values ';
[1843]246    $query.= '('.$page['category'].",'".$_FILES['picture']['name']."'";
[2]247    $query.= ",'".htmlspecialchars( $_POST['username'], ENT_QUOTES)."'";
[26]248    $query.= ",'".$_POST['mail_address']."',".time().",'".$xml_infos."')";
[2]249    $query.= ';';
[587]250    pwg_query( $query );
[2]251    $page['waiting_id'] = mysql_insert_id();
[1901]252
253    if ($conf['email_admin_on_picture_uploaded'])
254    {
255      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
256
[1915]257      $waiting_url = get_absolute_root_url().'admin.php?page=upload';
[1901]258
[1908]259      $keyargs_content = array
260      (
261        get_l10n_args('Category: %s', get_cat_display_name($category['upper_names'], null, false)),
262        get_l10n_args('Picture name: %s', $_FILES['picture']['name']),
263        get_l10n_args('User: %s', $_POST['username']),
264        get_l10n_args('Email: %s', $_POST['mail_address']),
265        get_l10n_args('Picture name: %s', $_POST['name']),
266        get_l10n_args('Author: %s', $_POST['author']),
267        get_l10n_args('Creation date: %s', $_POST['date_creation']),
268        get_l10n_args('Comment: %s', $_POST['comment']),
269        get_l10n_args('', ''),
270        get_l10n_args('Waiting page: %s', $waiting_url)
271      );
[1901]272
[1908]273      pwg_mail_notification_admins
[1901]274      (
[1908]275        get_l10n_args('Picture uploaded by %s', $_POST['username']),
276        $keyargs_content
[1901]277      );
278    }
[2]279  }
280}
[369]281
[2]282//------------------------------------------------------------ thumbnail upload
[10]283if ( isset( $_POST['submit'] ) and isset( $_GET['waiting_id'] ) )
[2]284{
285  // upload of the thumbnail
286  $query = 'select file';
[369]287  $query.= ' from '.WAITING_TABLE;
[2]288  $query.= ' where id = '.$_GET['waiting_id'];
289  $query.= ';';
[587]290  $result= pwg_query( $query );
[2]291  $row = mysql_fetch_array( $result );
292  $file = substr ( $row['file'], 0, strrpos ( $row['file'], ".") );
293  $extension = get_extension( $_FILES['picture']['name'] );
[1631]294
[1861]295  if (($path = mkget_thumbnail_dir($category['cat_dir'], $error)) != false)
[2]296  {
[1631]297    $path.= '/'.$conf['prefix_thumbnail'].$file.'.'.$extension;
298    $result = validate_upload( $path, $conf['upload_maxfilesize'],
299                               $conf['upload_maxwidth_thumbnail'],
300                               $conf['upload_maxheight_thumbnail']  );
301    for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
302    {
303      array_push( $error, $result['error'][$j] );
304    }
[2]305  }
[1631]306
[2]307  if ( sizeof( $error ) == 0 )
308  {
[369]309    $query = 'update '.WAITING_TABLE;
[2]310    $query.= " set tn_ext = '".$extension."'";
311    $query.= ' where id = '.$_GET['waiting_id'];
312    $query.= ';';
[587]313    pwg_query( $query );
[2]314    $page['upload_successful'] = true;
315  }
316}
317
[369]318//
319// Start output of page
320//
[1631]321$title= l10n('upload_title');
322$page['body_id'] = 'theUploadPage';
[369]323include(PHPWG_ROOT_PATH.'include/page_header.php');
324$template->set_filenames(array('upload'=>'upload.tpl'));
325
[2325]326// Load category list
327$query = '
328SELECT
329  id, name, uppercats, global_rank
330FROM '.CATEGORIES_TABLE.' INNER JOIN '.USER_CACHE_CATEGORIES_TABLE.'
331  ON id = cat_id and user_id = '.$user['id'].'
332WHERE
333  uploadable = \'true\'
334  '.get_sql_condition_FandF
335    (
336      array
337        (
338          'visible_categories' => 'id',
339        ),
340      'AND'
341    ).'
342;';
343display_select_cat_wrapper($query, array($page['category']), 'categories');
344
[1843]345$u_form = PHPWG_ROOT_PATH.'upload.php?cat='.$page['category'];
[369]346if ( isset( $page['waiting_id'] ) )
347{
348$u_form.= '&amp;waiting_id='.$page['waiting_id'];
349}
350
351if ( isset( $page['waiting_id'] ) )
352{
[2325]353  $advise_title = l10n('upload_advise_thumbnail').$_FILES['picture']['name'];
[369]354}
355else
356{
[2325]357  $advise_title = l10n('Choose an image');
[369]358}
359
[2265]360$template->assign(
[1082]361  array(
362    'ADVISE_TITLE' => $advise_title,
363    'NAME' => $username,
364    'EMAIL' => $mail_address,
365    'NAME_IMG' => $name,
366    'AUTHOR_IMG' => $author,
367    'DATE_IMG' => $date_creation,
368    'COMMENT_IMG' => $comment,
[1631]369
[1082]370    'F_ACTION' => $u_form,
[369]371
[1861]372    'U_RETURN' => make_index_url(array('category' => $category)),
[1082]373    )
374  );
[2265]375
376$template->assign('errors', $error);
377$template->assign('UPLOAD_SUCCESSFUL', $page['upload_successful'] );
378
[2]379if ( !$page['upload_successful'] )
380{
381//--------------------------------------------------------------------- advises
[369]382  if ( !empty($conf['upload_maxfilesize']) )
[2]383  {
[1631]384    $content = l10n('upload_advise_filesize');
[2]385    $content.= $conf['upload_maxfilesize'].' KB';
[2265]386    $template->append('advises', $content);
[2]387  }
[369]388
[2]389  if ( isset( $page['waiting_id'] ) )
390  {
391    if ( $conf['upload_maxwidth_thumbnail'] != '' )
392    {
[1631]393      $content = l10n('upload_advise_width');
[2]394      $content.= $conf['upload_maxwidth_thumbnail'].' px';
[2265]395      $template->append('advises', $content);
[2]396    }
397    if ( $conf['upload_maxheight_thumbnail'] != '' )
398    {
[1631]399      $content = l10n('upload_advise_height');
[2]400      $content.= $conf['upload_maxheight_thumbnail'].' px';
[2265]401      $template->append('advises', $content);
[2]402    }
403  }
404  else
405  {
406    if ( $conf['upload_maxwidth'] != '' )
407    {
[1631]408      $content = l10n('upload_advise_width');
[2]409      $content.= $conf['upload_maxwidth'].' px';
[2265]410      $template->append('advises', $content);
[2]411    }
412    if ( $conf['upload_maxheight'] != '' )
413    {
[1631]414      $content = l10n('upload_advise_height');
[2]415      $content.= $conf['upload_maxheight'].' px';
[2265]416      $template->append('advises', $content);
[2]417    }
418  }
[2265]419  $template->append('advises', l10n('upload_advise_filetype'));
420
[2]421//----------------------------------------- optionnal username and mail address
422  if ( !isset( $page['waiting_id'] ) )
423  {
[2265]424    $template->assign('SHOW_FORM_FIELDS', true);
[2]425  }
426}
[1631]427
[2]428//----------------------------------------------------------- html code display
[688]429$template->parse('upload');
[369]430include(PHPWG_ROOT_PATH.'include/page_tail.php');
[362]431?>
Note: See TracBrowser for help on using the repository browser.