Hi!

I got this image uploading script for my website, but i don't know if it's gonna work or not. I just wanted to ask if someone could take a look at it, and tell me if the code looks okay and ready to go. Thx in advance.

<?php

include 'db_connect.php';
$uploadSubmit = mysql_real_escape_string($_POST['imageSubmit']);

if ($uploadSubmit)
{
	if ($_FILES['image'])
	{
		$contents = file_get_contents($_FILES['image']['tmp_name']);
		
		if (stristr($contents, "<?php") || stristr($contents, "system(") || stristr($contents, "exec(") ||
		stristr($contents, "mysql") || stristr($contents, "include(") || stristr($contents, "require(") ||
		stristr($contents, "include_once(") || stristr($contents, "require_once(") || stristr($contents, "echo'") || stristr($contents, 'echo"'))
		{
			echo 'Are you really trying to hack this site? Enjoy your upload b&.';
			$sql = "INSERT INTO banned (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')";
			$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
			die();
		}
	}
	
	else
	{
		$sql = "SELECT * FROM banned WHERE ip='".$_SERVER['REMOTE_ADDR']."'";
		$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
		$num_rows = mysql_fetch_row($result);
		
		if ($num_rows[0] == 0)
		{
			function getExtension($str)
			{
				$i = strrpos($str,".");
				
				if (!$i)
				{
					return "";
				}
				
				$I = strlen($str) - $i;
				$ext = substr($str,$i+1,$I);
				return $ext;
			}
			
			define ("MAX_SIZE","5000");
			$error = 0;
			$file = $_FILES['image']['name'];
			
			if ($file == '')
			{
				echo 'You didn\'t select an image to upload.';
				$error = 1;
			}
			
			else
			{
				$filename = stripslashes($file);
				$extension = getExtension($filename);
				$extension = strtolower($extension);
				
				if (($extension != 'jpg') && ($extension != 'jpeg') && ($extension != 'png'))
				{
					echo 'Only JPG, JPEG and PNG are allowed image types.';
					$error = 1;
				}
				
				else
				{
					$size = filesize($_FILES['image']['tmp_name']);
					
					if ($size > MAX_SIZE*1024)
					{
						echo 'The max allowed filesize is 5MB.';
						$error = 1;
					}
					
					$time = time();
					$newImageName = 'wally-'.$time.'.'.$extension.'';
					$imageFullPath = 'images/'.$newImageName.'';
					
					if (!$errors)
					{
						if (!move_uploaded_file($_FILES['image']['tmp_name'], $imageFullPath))
						{
							$error = 1;
						}
					}
					
					if ($uploadSubmit && !$error)
					{
						include 'class.imageResizer.php';
						$work = new ImgResizer($imageFullPath);
						$work -> resize(125, "thumbs/".$newImageName."");
						
						$uploader = $_SESSION['username'];
						$sql = "INSERT INTO images (image, uploader, validated) VALUES ('$newImageName','$uploader','0')";
						$result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
						
						echo 'Your image has been uploaded and awaiting validation.';
						echo 'The page will redirect in 2 seconds.';
						echo '<meta http-equiv="Refresh" content="2;url=http://www.wallpapers.puffys.net">';
						
					}
				}
			}
		}
		
		else
		{
			die("You are banned from uploading.");
		}
	}
}

?>
Member Avatar
diafol

I got this image uploading script for my website, but i don't know if it's gonna work or not.

So you haven't tried it?

Just tried it, and i get "You didn't select an image to upload.".

Member Avatar
diafol

Is this your code? If not try the Configuring Ready Made Scripts forum or the site from where you got it.