Page 1 of 1

Help with image uploader

Posted: Sat Jul 11, 2009 11:55 pm
by teh1337ex
alright, i'm almost done with my image hosting script, i just wanted some help securing it.

Here is my source:

Upload form

Code: Select all

<html>
<head>
<style type="text/css">
body
{ 
background-image:url('http://treatspin.com/imageuploader/upload/33.gif');
background-repeat:repeat;
background-attachment:fixed;
background-position:center; 
}
</style>
</head>
 
<body>
<form enctype="multipart/form-data" action="upload.php" method="POST">
<input name="uploaded" style="padding:10px; width:200px; font-size:20px; font-weight:bold;" type="file" style=  /><br />
<input type="submit" value="Upload" />
</form> 
</body>
</html>
Actual uploading script:

Code: Select all

<html>
<head>
<style type="text/css">
body
{ 
background-image:url('http://treatspin.com/imageuploader/upload/33.gif');
background-repeat:repeat;
background-attachment:fixed;
background-position:center; 
}
</style>
</head>
<body>
<?php
//Find Extension of File
function findexts ($filename)
    {
    $filename = strtolower($filename) ;
    $exts = split("[/\\.]", $filename) ;
    $n = count($exts)-1;
    $exts = $exts[$n];
    return $exts;
    } 
 
$Query = TRUE;      
$MySQLServer = "sup";
$MySQLUsername = "wut";
$MySQLPassword = "yah";
$MySQLQuery = mysql_connect($MySQLServer,$MySQLUsername,$MySQLPassword);
if (!$MySQLQuery)
    {
    echo "ERROR: Could not connect to Database";
    die;
    }
$result = mysql_query("INSERT INTO teh1337_imageuploads.uploads (`id`) VALUES (NULL);");
if (!$result)
    {
    echo "Database error -- Couldn't get insertion ID";
    }
    $ran = mysql_insert_id($MySQLQuery);
mysql_close($MySQLQuery);
 
 
define("ALL_LOWERCASE", true);
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
$max_filesize = 6000000;
$ext = findexts ($_FILES['uploaded']['name']) ; 
$ran2 = $ran.".";
$target = "upload/";
$target = $target . $ran2.$ext; 
 
 
 
 
//Perform initial Checks, and return error where needed.
if (($_FILES["uploaded"]["type"] == "image/gif") or ($_FILES["uploaded"]["type"] == "image/jpeg") or ($_FILES["uploaded"]["type"] == "image/png") or ($_FILES["uploaded"]["type"] == "image/pjpeg"))
    {
    if(filesize($_FILES['uploaded']['tmp_name']) > $max_filesize)
        {
        //Size Error
        echo "Sorry, there is an image size limit of 5.5 MB. Please resize your image and try again.";
        }
    else
        {
        if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
            {
            echo "The file has been uploaded ".$ran2.$ext . "<br /><br />
            
            <img src='upload/" . $ran2 . $ext . "' />
            
            <br /><br />
            
            <table width='50%'>
                <tr>
                    <td>BBCode:</td>
                    <td><input type='text' value='[img]http://treatspin.com/imageuploader/upload/"%20.%20$ran2%20.%20$ext%20.%20"[/img]' /></td>
                </tr>
                <tr>
                    <td>HTML:</td>
                    <td><input type='text' value='<img src="http://treatspin.com/imageuploader/upload/" . $ran2 . $ext . "" />' /></td>
                </tr>
                <tr>
                    <td>Direct Link:</td>
                    <td><input type='text' value='http://treatspin.com/imageuploader/upload/" . $ran2 . $ext . "' /></td>
                </tr>
            </table>";
            }
        else
            {
            echo "Sorry, there was an unknown error that occured while uploading your file. Please try again.";
            }
        }
    }
else
    {
    //MIME Error
    echo "Sorry, Treatspin cannot accept the file you're trying to upload. Supported Images are GIF, JPEG, and PNG.<br />Please note that IE has a technical issue that prevents uploads of PNG files.";
    }
?>
</body>
</html>