hostName = $hostName; $clsMySQL->dbName = $databaseName; $clsMySQL->usrName = $databaseUser; $clsMySQL->usrPwd = $databasePw; $clsMySQL->isUTF8 = true; $clsMySQL->connDB(); if(!$_SESSION[$strSesName.'_ADMIN']) { echo 'You Login Session is expired'; exit; } else { $ADMIN = $_SESSION[$strSesName.'_ADMIN']; $adminname = $ADMIN['usr_login_name']; $adminlv = $ADMIN['usr_lv']; $adminid = $ADMIN['usr_id']; } // Code for Session Cookie workaround if (isset($_POST["PHPSESSID"])) { session_id($_POST["PHPSESSID"]); } else if (isset($_GET["PHPSESSID"])) { session_id($_GET["PHPSESSID"]); } // Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762) $POST_MAX_SIZE = ini_get('post_max_size'); $unit = strtoupper(substr($POST_MAX_SIZE, -1)); $multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1))); if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) { header("HTTP/1.1 500 Internal Server Error"); // This will trigger an uploadError event in SWFUpload echo "POST exceeded maximum allowed size."; exit(0); } // Settings $save_path = "../../attachment/".date('Y').'-'.date('m').'/'; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment) if(!is_dir($save_path)) { mkdir($save_path,0777); chmod( $save_path,0777 ); } $upload_name = "Filedata"; $max_file_size_in_bytes = 6291456; // 6MB in bytes //$extension_whitelist = array("jpg", "gif", "png"); // Allowed file extensions //$valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format) // Other variables $MAX_FILENAME_LENGTH = 260; $file_name = ""; $file_extension = ""; $uploadErrors = array( 0=>"There is no error, the file uploaded with success", 1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini", 2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form", 3=>"The uploaded file was only partially uploaded", 4=>"No file was uploaded", 6=>"Missing a temporary folder" ); // Validate the upload if (!isset($_FILES[$upload_name])) { HandleError("No upload found in \$_FILES for " . $upload_name); exit(0); } else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) { HandleError($uploadErrors[$_FILES[$upload_name]["error"]]); exit(0); } else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) { HandleError("Upload failed is_uploaded_file test."); exit(0); } else if (!isset($_FILES[$upload_name]['name'])) { HandleError("File has no name."); exit(0); } // Validate the file size (Warning: the largest files supported by this code is 2GB) $file_size = @filesize($_FILES[$upload_name]["tmp_name"]); if (!$file_size || $file_size > $max_file_size_in_bytes) { HandleError("File exceeds the maximum allowed size"); exit(0); } if ($file_size <= 0) { HandleError("File size outside allowed lower bound"); exit(0); } // Validate file name (for our purposes we'll just remove invalid characters) /* $file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', "", basename($_FILES[$upload_name]['name'])); if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) { HandleError("Invalid file name"); exit(0); }*/ $path_info = pathinfo($_FILES[$upload_name]['name']); $file_extension = $path_info["extension"]; /* $is_valid_extension = false; foreach ($extension_whitelist as $extension) { if (strcasecmp($file_extension, $extension) == 0) { $is_valid_extension = true; break; } } if (!$is_valid_extension) { HandleError("Invalid file extension"); exit(0); } */ $file_name = time().genRandomString(5,1,1,1).'.'.$file_extension; // Validate that we won't over-write an existing file if (file_exists($save_path . $file_name)) { HandleError("File with this name already exists"); exit(0); } if($_POST['resize']) { $reSize = explode(';',$_POST['resize']); foreach($reSize as $re) { $r = explode(',',$re); $resizeName = $r[0]; $maxWidth = $r[1]; $maxHeight = $r[2]; if(preg_match("/^[a-z]*$/",$resizeName) && is_numeric($maxWidth) && is_numeric($maxHeight)) { if($resizeName=='original') { ResizeImg( $_FILES[$upload_name]['tmp_name'], $_FILES[$upload_name]['tmp_name'], $maxWidth, $maxHeight ); } else { $resize_save_path = $save_path.$resizeName.'/'; if(!is_dir($resize_save_path)) { mkdir($resize_save_path,0777); chmod( $resize_save_path,0777 ); } ResizeImg( $_FILES[$upload_name]['tmp_name'], $resize_save_path.$resizeName.'_'.$file_name, $maxWidth, $maxHeight ); $resized .= $resized ? ','.$resizeName : $resizeName; } } } } if (move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$file_name)) { if($_POST['ref_type']=='prd_cover' && $_POST[id]) { $clsMySQL->execQuery("UPDATE attachment SET a_ref_type='prd_cover_old' WHERE a_ref_type='".$_POST['ref_type']."' AND a_ref_id='".$_POST[id]."'"); } list($width, $height) = getimagesize($save_path.$file_name); $clsMySQL->execQuery("INSERT INTO attachment SET a_crt_ip='".$_SERVER['REMOTE_ADDR']."', a_crt_usr_id='".$adminid."', a_ref_type='".$_POST['ref_type']."', ".($_POST['ref_type']=='prd_cover' && $_POST[id] ? "a_ref_id='".$_POST[id]."'," : '')." a_name='".fBoxSQL($_FILES[$upload_name]['name'])."', a_title='".$_POST['upload_id']."', a_path='".str_replace('../','',$save_path).$file_name."', a_file_type='".$file_extension."', a_file_size='".$_FILES[$upload_name]['size']."', a_width='".$width."', a_height='".$height."', a_resize='".$resized."' "); echo 'Upload Success'; } else { HandleError("File could not be saved."); exit(0); } exit(0); /* Handles the error output. This error message will be sent to the uploadSuccess event handler. The event handler will have to check for any error messages and react as needed. */ function HandleError($message) { echo $message; } ?>