Member Avatar for kaizokupuffball

Hi!

I got this image uploading script for my website, but i don't know if it's gonna work or not. I just wanted to ask if someone could take a look at it, and tell me if the code looks okay and ready to go. Thx in advance.

<?php

include 'db_connect.php';
$uploadSubmit = mysql_real_escape_string($_POST['imageSubmit']);

if ($uploadSubmit)
{
	if ($_FILES['image'])
	{
		$contents = file_get_contents($_FILES['image']['tmp_name']);
		
		if (stristr($contents, "<?php") || stristr($contents, "system(") || stristr($contents, "exec(") ||
		stristr($contents, "mysql") || stristr($contents, "include(") || stristr($contents, "require(") ||
		stristr($contents, "include_once(") || stristr($contents, "require_once(") || stristr($contents, "echo'") || stristr($contents, 'echo"'))
		{
			echo 'Are you really trying to hack this site? Enjoy your upload b&.';
			$sql = "INSERT INTO banned (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')";
			$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
			die();
		}
	}
	
	else
	{
		$sql = "SELECT * FROM banned WHERE ip='".$_SERVER['REMOTE_ADDR']."'";
		$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
		$num_rows = mysql_fetch_row($result);
		
		if ($num_rows[0] == 0)
		{
			function getExtension($str)
			{
				$i = strrpos($str,".");
				
				if (!$i)
				{
					return "";
				}
				
				$I = strlen($str) - $i;
				$ext = substr($str,$i+1,$I);
				return $ext;
			}
			
			define ("MAX_SIZE","5000");
			$error = 0;
			$file = $_FILES['image']['name'];
			
			if ($file == '')
			{
				echo 'You didn\'t select an image to upload.';
				$error = 1;
			}
			
			else
			{
				$filename = stripslashes($file);
				$extension = getExtension($filename);
				$extension = strtolower($extension);
				
				if (($extension != 'jpg') && ($extension != 'jpeg') && ($extension != 'png'))
				{
					echo 'Only JPG, JPEG and PNG are allowed image types.';
					$error = 1;
				}
				
				else
				{
					$size = filesize($_FILES['image']['tmp_name']);
					
					if ($size > MAX_SIZE*1024)
					{
						echo 'The max allowed filesize is 5MB.';
						$error = 1;
					}
					
					$time = time();
					$newImageName = 'wally-'.$time.'.'.$extension.'';
					$imageFullPath = 'images/'.$newImageName.'';
					
					if (!$errors)
					{
						if (!move_uploaded_file($_FILES['image']['tmp_name'], $imageFullPath))
						{
							$error = 1;
						}
					}
					
					if ($uploadSubmit && !$error)
					{
						include 'class.imageResizer.php';
						$work = new ImgResizer($imageFullPath);
						$work -> resize(125, "thumbs/".$newImageName."");
						
						$uploader = $_SESSION['username'];
						$sql = "INSERT INTO images (image, uploader, validated) VALUES ('$newImageName','$uploader','0')";
						$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
						
						echo 'Your image has been uploaded and awaiting validation.';
						echo 'The page will redirect in 2 seconds.';
						echo '<meta http-equiv="Refresh" content="2;url=http://www.wallpapers.puffys.net">';
						
					}
				}
			}
		}
		
		else
		{
			die("You are banned from uploading.");
		}
	}
}

?>
  • 2 Contributors
  • 3 Replies
  • 139 Views
  • 6 Hours Discussion Span
  • Latest Post Latest Post by diafol

Recommended Answers

All 3 Replies

Member Avatar for diafol

I got this image uploading script for my website, but i don't know if it's gonna work or not.

So you haven't tried it?

Edited by diafol because: n/a
Member Avatar for kaizokupuffball

Just tried it, and i get "You didn't select an image to upload.".

Member Avatar for diafol

Is this your code? If not try the Configuring Ready Made Scripts forum or the site from where you got it.

Edited by diafol because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.