0

Hi!

I got this image uploading script for my website, but i don't know if it's gonna work or not. I just wanted to ask if someone could take a look at it, and tell me if the code looks okay and ready to go. Thx in advance.

<?php

include 'db_connect.php';
$uploadSubmit = mysql_real_escape_string($_POST['imageSubmit']);

if ($uploadSubmit)
{
	if ($_FILES['image'])
	{
		$contents = file_get_contents($_FILES['image']['tmp_name']);
		
		if (stristr($contents, "<?php") || stristr($contents, "system(") || stristr($contents, "exec(") ||
		stristr($contents, "mysql") || stristr($contents, "include(") || stristr($contents, "require(") ||
		stristr($contents, "include_once(") || stristr($contents, "require_once(") || stristr($contents, "echo'") || stristr($contents, 'echo"'))
		{
			echo 'Are you really trying to hack this site? Enjoy your upload b&.';
			$sql = "INSERT INTO banned (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')";
			$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
			die();
		}
	}
	
	else
	{
		$sql = "SELECT * FROM banned WHERE ip='".$_SERVER['REMOTE_ADDR']."'";
		$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
		$num_rows = mysql_fetch_row($result);
		
		if ($num_rows[0] == 0)
		{
			function getExtension($str)
			{
				$i = strrpos($str,".");
				
				if (!$i)
				{
					return "";
				}
				
				$I = strlen($str) - $i;
				$ext = substr($str,$i+1,$I);
				return $ext;
			}
			
			define ("MAX_SIZE","5000");
			$error = 0;
			$file = $_FILES['image']['name'];
			
			if ($file == '')
			{
				echo 'You didn\'t select an image to upload.';
				$error = 1;
			}
			
			else
			{
				$filename = stripslashes($file);
				$extension = getExtension($filename);
				$extension = strtolower($extension);
				
				if (($extension != 'jpg') && ($extension != 'jpeg') && ($extension != 'png'))
				{
					echo 'Only JPG, JPEG and PNG are allowed image types.';
					$error = 1;
				}
				
				else
				{
					$size = filesize($_FILES['image']['tmp_name']);
					
					if ($size > MAX_SIZE*1024)
					{
						echo 'The max allowed filesize is 5MB.';
						$error = 1;
					}
					
					$time = time();
					$newImageName = 'wally-'.$time.'.'.$extension.'';
					$imageFullPath = 'images/'.$newImageName.'';
					
					if (!$errors)
					{
						if (!move_uploaded_file($_FILES['image']['tmp_name'], $imageFullPath))
						{
							$error = 1;
						}
					}
					
					if ($uploadSubmit && !$error)
					{
						include 'class.imageResizer.php';
						$work = new ImgResizer($imageFullPath);
						$work -> resize(125, "thumbs/".$newImageName."");
						
						$uploader = $_SESSION['username'];
						$sql = "INSERT INTO images (image, uploader, validated) VALUES ('$newImageName','$uploader','0')";
						$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
						
						echo 'Your image has been uploaded and awaiting validation.';
						echo 'The page will redirect in 2 seconds.';
						echo '<meta http-equiv="Refresh" content="2;url=http://www.wallpapers.puffys.net">';
						
					}
				}
			}
		}
		
		else
		{
			die("You are banned from uploading.");
		}
	}
}

?>
2
Contributors
3
Replies
5
Views
6 Years
Discussion Span
Last Post by diafol
0

I got this image uploading script for my website, but i don't know if it's gonna work or not.

So you haven't tried it?

Edited by diafol: n/a

0

Is this your code? If not try the Configuring Ready Made Scripts forum or the site from where you got it.

Edited by diafol: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.