source: trunk/upload.php @ 2033

Last change on this file since 2033 was 2033, checked in by vdigital, 17 years ago

Bug 0000705: Upload error with incomplete URL.
+ Broken link in Admin/intro.php

  • Property svn:eol-style set to LF
  • Property svn:keywords set to Author Date Id Revision
File size: 13.7 KB
Line 
1<?php
2// +-----------------------------------------------------------------------+
3// | PhpWebGallery - a PHP based picture gallery                           |
4// | Copyright (C) 2002-2003 Pierrick LE GALL - pierrick@phpwebgallery.net |
5// | Copyright (C) 2003-2007 PhpWebGallery Team - http://phpwebgallery.net |
6// +-----------------------------------------------------------------------+
7// | file          : $Id: upload.php 2033 2007-06-12 21:52:46Z vdigital $
8// | last update   : $Date: 2007-06-12 21:52:46 +0000 (Tue, 12 Jun 2007) $
9// | last modifier : $Author: vdigital $
10// | revision      : $Revision: 2033 $
11// +-----------------------------------------------------------------------+
12// | This program is free software; you can redistribute it and/or modify  |
13// | it under the terms of the GNU General Public License as published by  |
14// | the Free Software Foundation                                          |
15// |                                                                       |
16// | This program is distributed in the hope that it will be useful, but   |
17// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
18// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
19// | General Public License for more details.                              |
20// |                                                                       |
21// | You should have received a copy of the GNU General Public License     |
22// | along with this program; if not, write to the Free Software           |
23// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
24// | USA.                                                                  |
25// +-----------------------------------------------------------------------+
26define('PHPWG_ROOT_PATH','./');
27include_once( PHPWG_ROOT_PATH.'include/common.inc.php' );
28
29check_status(ACCESS_GUEST);
30
31$username = !empty($_POST['username'])?$_POST['username']:$user['username'];
32$mail_address = !empty($_POST['mail_address'])?$_POST['mail_address']:@$user['mail_address'];
33$name = !empty($_POST['name'])?$_POST['name']:'';
34$author = !empty($_POST['author'])?$_POST['author']:'';
35$date_creation = !empty($_POST['date_creation'])?$_POST['date_creation']:'';
36$comment = !empty($_POST['comment'])?$_POST['comment']:'';
37
38//------------------------------------------------------------------- functions
39// The validate_upload function checks if the image of the given path is valid.
40// A picture is valid when :
41//     - width, height and filesize are not higher than the maximum
42//       filesize authorized by the administrator
43//     - the type of the picture is among jpg, gif and png
44// The function returns an array containing :
45//     - $result['type'] contains the type of the image ('jpg', 'gif' or 'png')
46//     - $result['error'] contains an array with the different errors
47//       found with the picture
48function validate_upload( $temp_name, $my_max_file_size,
49                          $image_max_width, $image_max_height )
50{
51  global $conf, $lang, $page, $mail_address;
52
53  $result = array();
54  $result['error'] = array();
55  //echo $_FILES['picture']['name']."<br />".$temp_name;
56  $extension = get_extension( $_FILES['picture']['name'] );
57  if (!in_array($extension, $conf['picture_ext']))
58  {
59    array_push( $result['error'], l10n('upload_advise_filetype') );
60    return $result;
61  }
62  if ( !isset( $_FILES['picture'] ) )
63  {
64    // do we even have a file?
65    array_push( $result['error'], "You did not upload anything!" );
66  }
67  else if ( $_FILES['picture']['size'] > $my_max_file_size * 1024 )
68  {
69    array_push( $result['error'],
70                l10n('upload_advise_filesize').$my_max_file_size.' KB' );
71  }
72  else
73  {
74    // check if we are allowed to upload this file_type
75    // upload de la photo sous un nom temporaire
76    if ( !move_uploaded_file( $_FILES['picture']['tmp_name'], $temp_name ) )
77    {
78      array_push( $result['error'], l10n('upload_cannot_upload') );
79    }
80    else
81    {
82      $size = getimagesize( $temp_name );
83      if ( isset( $image_max_width )
84           and $image_max_width != ""
85           and $size[0] > $image_max_width )
86      {
87        array_push( $result['error'],
88                    l10n('upload_advise_width').$image_max_width.' px' );
89      }
90      if ( isset( $image_max_height )
91           and $image_max_height != ""
92           and $size[1] > $image_max_height )
93      {
94        array_push( $result['error'],
95                    l10n('upload_advise_height').$image_max_height.' px' );
96      }
97      // $size[2] == 1 means GIF
98      // $size[2] == 2 means JPG
99      // $size[2] == 3 means PNG
100      switch ( $size[2] )
101      {
102      case 1 : $result['type'] = 'gif'; break;
103      case 2 : $result['type'] = 'jpg'; break;
104      case 3 : $result['type'] = 'png'; break;
105      default :
106        array_push( $result['error'], l10n('upload_advise_filetype') ); 
107      }
108    }
109  }
110  if ( sizeof( $result['error'] ) > 0 )
111  {
112    // destruction de l'image avec le nom temporaire
113    @unlink( $temp_name );
114  }
115  else
116  {
117    @chmod( $temp_name, 0644);
118  }
119
120  //------------------------------------------------------------ log informations
121  pwg_log();
122
123  return $result;
124}
125
126//-------------------------------------------------- access authorization check
127if (isset($_GET['cat']) and is_numeric($_GET['cat']))
128{
129  $page['category'] = $_GET['cat'];
130}
131
132if (isset($page['category']))
133{
134  check_restrictions( $page['category'] );
135  $category = get_cat_info( $page['category'] );
136  $category['cat_dir'] = get_complete_dir( $page['category'] );
137 
138  if (url_is_remote($category['cat_dir']) or !$category['uploadable'])
139  {
140    die('Fatal: you take a wrong way, bye bye');
141  }
142}
143else { // $page['category'] may be set by a futur plugin but without it
144  die('Fatal: you take a wrong way, bye bye');
145}
146
147$error = array();
148$page['upload_successful'] = false;
149if ( isset( $_GET['waiting_id'] ) )
150{
151  $page['waiting_id'] = $_GET['waiting_id'];
152}
153//-------------------------------------------------------------- picture upload
154// verfying fields
155if ( isset( $_POST['submit'] ) and !isset( $_GET['waiting_id'] ) )
156{
157  $path = $category['cat_dir'].$_FILES['picture']['name'];
158  if ( @is_file( $path ) )
159  {
160    array_push( $error, l10n('upload_file_exists') );
161  }
162  // test de la présence des champs obligatoires
163  if ( empty($_FILES['picture']['name']))
164  {
165    array_push( $error, l10n('upload_filenotfound') );
166  }
167  if ( !ereg( "([_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)+)",
168             $_POST['mail_address'] ) )
169  {
170    array_push( $error, l10n('reg_err_mail_address') );
171  }
172  if ( empty($_POST['username']) )
173  {
174    array_push( $error, l10n('upload_err_username') );
175  }
176 
177  $date_creation = '';
178  if ( !empty($_POST['date_creation']) )
179  {
180    list( $day,$month,$year ) = explode( '/', $_POST['date_creation'] );
181    // int checkdate ( int month, int day, int year)
182    if (checkdate($month, $day, $year))
183    {
184      $date_creation = $year.'-'.$month.'-'.$day;
185    }
186    else
187    {
188      array_push( $error, l10n('err_date') );
189    }
190  }
191  // creation of the "infos" field :
192  // <infos author="Pierrick LE GALL" comment="my comment"
193  //        date_creation="2004-08-14" name="" />
194  $xml_infos = '<infos';
195  $xml_infos.= encodeAttribute('author', $_POST['author']);
196  $xml_infos.= encodeAttribute('comment', $_POST['comment']);
197  $xml_infos.= encodeAttribute('date_creation', $date_creation);
198  $xml_infos.= encodeAttribute('name', $_POST['name']);
199  $xml_infos.= ' />';
200
201  if ( !preg_match( '/^[a-zA-Z0-9-_.]+$/', $_FILES['picture']['name'] ) )
202  {
203    array_push( $error, l10n('update_wrong_dirname') );
204  }
205 
206  if ( sizeof( $error ) == 0 )
207  {
208    $result = validate_upload( $path, $conf['upload_maxfilesize'],
209                               $conf['upload_maxwidth'],
210                               $conf['upload_maxheight']  );
211    for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
212    {
213      array_push( $error, $result['error'][$j] );
214    }
215  }
216
217  if ( sizeof( $error ) == 0 )
218  {
219    $query = 'insert into '.WAITING_TABLE;
220    $query.= ' (storage_category_id,file,username,mail_address,date,infos)';
221    $query.= ' values ';
222    $query.= '('.$page['category'].",'".$_FILES['picture']['name']."'";
223    $query.= ",'".htmlspecialchars( $_POST['username'], ENT_QUOTES)."'";
224    $query.= ",'".$_POST['mail_address']."',".time().",'".$xml_infos."')";
225    $query.= ';';
226    pwg_query( $query );
227    $page['waiting_id'] = mysql_insert_id();
228
229    if ($conf['email_admin_on_picture_uploaded'])
230    {
231      include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
232
233      $waiting_url = get_absolute_root_url().'admin.php?page=upload';
234
235      $keyargs_content = array
236      (
237        get_l10n_args('Category: %s', get_cat_display_name($category['upper_names'], null, false)),
238        get_l10n_args('Picture name: %s', $_FILES['picture']['name']),
239        get_l10n_args('User: %s', $_POST['username']),
240        get_l10n_args('Email: %s', $_POST['mail_address']),
241        get_l10n_args('Picture name: %s', $_POST['name']),
242        get_l10n_args('Author: %s', $_POST['author']),
243        get_l10n_args('Creation date: %s', $_POST['date_creation']),
244        get_l10n_args('Comment: %s', $_POST['comment']),
245        get_l10n_args('', ''),
246        get_l10n_args('Waiting page: %s', $waiting_url)
247      );
248
249      pwg_mail_notification_admins
250      (
251        get_l10n_args('Picture uploaded by %s', $_POST['username']),
252        $keyargs_content
253      );
254    }
255  }
256}
257
258//------------------------------------------------------------ thumbnail upload
259if ( isset( $_POST['submit'] ) and isset( $_GET['waiting_id'] ) )
260{
261  // upload of the thumbnail
262  $query = 'select file';
263  $query.= ' from '.WAITING_TABLE;
264  $query.= ' where id = '.$_GET['waiting_id'];
265  $query.= ';';
266  $result= pwg_query( $query );
267  $row = mysql_fetch_array( $result );
268  $file = substr ( $row['file'], 0, strrpos ( $row['file'], ".") );
269  $extension = get_extension( $_FILES['picture']['name'] );
270
271  if (($path = mkget_thumbnail_dir($category['cat_dir'], $error)) != false)
272  {
273    $path.= '/'.$conf['prefix_thumbnail'].$file.'.'.$extension;
274    $result = validate_upload( $path, $conf['upload_maxfilesize'],
275                               $conf['upload_maxwidth_thumbnail'],
276                               $conf['upload_maxheight_thumbnail']  );
277    for ( $j = 0; $j < sizeof( $result['error'] ); $j++ )
278    {
279      array_push( $error, $result['error'][$j] );
280    }
281  }
282
283  if ( sizeof( $error ) == 0 )
284  {
285    $query = 'update '.WAITING_TABLE;
286    $query.= " set tn_ext = '".$extension."'";
287    $query.= ' where id = '.$_GET['waiting_id'];
288    $query.= ';';
289    pwg_query( $query );
290    $page['upload_successful'] = true;
291  }
292}
293
294//
295// Start output of page
296//
297$title= l10n('upload_title');
298$page['body_id'] = 'theUploadPage';
299include(PHPWG_ROOT_PATH.'include/page_header.php');
300$template->set_filenames(array('upload'=>'upload.tpl'));
301
302$u_form = PHPWG_ROOT_PATH.'upload.php?cat='.$page['category'];
303if ( isset( $page['waiting_id'] ) )
304{
305$u_form.= '&amp;waiting_id='.$page['waiting_id'];
306}
307
308if ( isset( $page['waiting_id'] ) )
309{
310  $advise_title=l10n('upload_advise_thumbnail').$_FILES['picture']['name'];
311}
312else
313{
314  $advise_title = l10n('upload_advise');
315  $advise_title.= get_cat_display_name($category['upper_names']);
316}
317
318$template->assign_vars(
319  array(
320    'U_HOME' => make_index_url(),
321
322    'ADVISE_TITLE' => $advise_title,
323    'NAME' => $username,
324    'EMAIL' => $mail_address,
325    'NAME_IMG' => $name,
326    'AUTHOR_IMG' => $author,
327    'DATE_IMG' => $date_creation,
328    'COMMENT_IMG' => $comment,
329
330    'F_ACTION' => $u_form,
331
332    'U_RETURN' => make_index_url(array('category' => $category)),
333    )
334  );
335 
336if ( !$page['upload_successful'] )
337{
338  $template->assign_block_vars('upload_not_successful',array());
339//-------------------------------------------------------------- errors display
340if ( sizeof( $error ) != 0 )
341{
342  $template->assign_block_vars('upload_not_successful.errors',array());
343  for ( $i = 0; $i < sizeof( $error ); $i++ )
344  {
345    $template->assign_block_vars('upload_not_successful.errors.error',array('ERROR'=>$error[$i]));
346  }
347}
348
349//--------------------------------------------------------------------- advises
350  if ( !empty($conf['upload_maxfilesize']) )
351  {
352    $content = l10n('upload_advise_filesize');
353    $content.= $conf['upload_maxfilesize'].' KB';
354    $template->assign_block_vars('upload_not_successful.advise',array('ADVISE'=>$content));
355  }
356
357  if ( isset( $page['waiting_id'] ) )
358  {
359    if ( $conf['upload_maxwidth_thumbnail'] != '' )
360    {
361      $content = l10n('upload_advise_width');
362      $content.= $conf['upload_maxwidth_thumbnail'].' px';
363      $template->assign_block_vars('upload_not_successful.advise',array('ADVISE'=>$content));
364    }
365    if ( $conf['upload_maxheight_thumbnail'] != '' )
366    {
367      $content = l10n('upload_advise_height');
368      $content.= $conf['upload_maxheight_thumbnail'].' px';
369      $template->assign_block_vars('upload_not_successful.advise',array('ADVISE'=>$content));
370    }
371  }
372  else
373  {
374    if ( $conf['upload_maxwidth'] != '' )
375    {
376      $content = l10n('upload_advise_width');
377      $content.= $conf['upload_maxwidth'].' px';
378      $template->assign_block_vars('upload_not_successful.advise',array('ADVISE'=>$content));
379    }
380    if ( $conf['upload_maxheight'] != '' )
381    {
382      $content = l10n('upload_advise_height');
383      $content.= $conf['upload_maxheight'].' px';
384      $template->assign_block_vars('upload_not_successful.advise',array('ADVISE'=>$content));
385    }
386  }
387  $template->assign_block_vars('upload_not_successful.advise',array('ADVISE'=>l10n('upload_advise_filetype')));
388 
389//----------------------------------------- optionnal username and mail address
390  if ( !isset( $page['waiting_id'] ) )
391  {
392    $template->assign_block_vars('upload_not_successful.fields',array());
393    $template->assign_block_vars('note',array());
394  }
395}
396else
397{
398  $template->assign_block_vars('upload_successful',array());
399}
400
401//----------------------------------------------------------- html code display
402$template->parse('upload');
403include(PHPWG_ROOT_PATH.'include/page_tail.php');
404?>
Note: See TracBrowser for help on using the repository browser.