Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
I'm gonna use Pseudo code in some part of the code, hopefully you'll be able tu uderstandCode: Select all
$CONF_AVATAR_MAX_FILE_SIZE = whatever
$arr_allowed = array (
'image/x-png',
'image/jpeg',
'image/pjpeg'
);
if(isset($_FILES['file_avatar'])){
if(in_array($_FILES['file_avatar']['type'],$arr_allowed)){
$random_name = md5(uniqid);
///EDITED, It was an important missing line
$extension ='.BAD';
switch (file_extension){
case 'jpg':
$extension ='.jpg';
break;
case 'png':
$extension ='.png';
break;
}
$filenamefordatabase = $random_name.$extension;
$uploadfile = UPLOAD_PATH.$random_name.$extension;
if ($_FILES['file_avatar']['size'] < $CONF_AVATAR_MAX_FILE_SIZE){
if (move_uploaded_file($_FILES['file_avatar']['tmp_name'], $uploadfile)){
///file uploaded
}
}
}
}My main concern is not allowing some bad guy to execute his own php code on my server. Do you think it's enough just renaming the file? (after having checked its size and type of course).
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]