-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfile-uploader.php
142 lines (117 loc) · 4.96 KB
/
file-uploader.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
<?php
// Livingstone +255 687 949 808
function upload ($file = null, $uploadFolder = null) : string {
// Ensure the file is submitted, and is not empty
// Ensure the file is an array ($_FILES array superglobal)
if (empty($file) || !is_array($file)) {
// File empty, or not an array
return "";
}
// Ensure $file[error] is present (files uploaded via a form)
// Ensure $file[error] is false (0 in this case)
if (!isset($file["error"]) || $file["error"]) {
// Property "error" not present
// $file[error] == 1
// File errors detected
return "";
}
// Ensure the file has a "tmp_name" property
// Ensure the file at "tmp_name" is indeed a valid-uploaded-file
// Ensure that the file was uploaded through an HTTP POST request
if (empty($file["tmp_name"]) || !is_uploaded_file($file["tmp_name"])) {
// Not a valid uploaded file
return "";
}
// Get the file name
// Ensure a file name does not start or end with these characters [DOT, forward-slash and back-slash]
$fileName = trim($file["name"], "./\\");
// Extract file extension from file name
$fileExtension = pathinfo($fileName, PATHINFO_EXTENSION);
// Define list of allowed file extensions.
// You can modify this list by add more extensions or remove existing extensions.
// TODO : Make $EXTENSIONS_ALLOWED variable a constant?
$EXTENSIONS_ALLOWED = ["PNG", "JPG", "JPEG", "PDF"];
// Set $is_allowed boolean-flag
// This flag will tell whether an extension is allowed
// Loop through the list of allowed extensions, compare each element with file extension
// Set $is_allowed = true if file extension is in the list of allowed file extensions, then break out of the loop
$is_allowed = false;
foreach ($EXTENSIONS_ALLOWED as $value) {
if (strcasecmp($fileExtension, $value) === 0) {
$is_allowed = true;
break;
}
}
// Ensure the file estension is allowed
if (!$is_allowed) {
// File extension not allowed
return "";
}
// Get file size (Given in Bytes)
$fileSize = $file["size"];
// Set maximum file size allowed for upload for single file
// The number 2 in this case, means 2MB.
// You can change this value to fit your needs for a max-size allowed (in MBs).
// TODO : Make $MAX_SIZE_ALLOWED variable a constant?
$MAX_SIZE_ALLOWED = 2 * (1024 * 1024);
// Ensure the file size is within the maximum-size-allowed
if ($fileSize > $MAX_SIZE_ALLOWED) {
// File bigger than the max-allowed-size
return "";
}
// Ensure a folder name does not start or end with these characters [DOT, forward-slash and back-slash]
$uploadFolder = trim($uploadFolder, "./\\");
// Ensure a folder name does not contain any of below characters
// These characters hold special meaning in Windows and Unix platforms
$UNALLOWED_CHARACTERS = ["?", ":", "\"", "<", ">", "|", "*"];
for ($i = 0; $i < strlen($uploadFolder); $i++) {
if (in_array($uploadFolder[$i], $UNALLOWED_CHARACTERS)) {
// Folder name contains unallowed {$uploadFolder[$i]} character(s)
return "";
}
}
// In cases $uploadFolder not specified or empty
// Attempt moving the $file to the current-working-directory
if (empty($uploadFolder)) {
// Attempt to get the current-working-directory
$uploadFolder = getcwd();
// getcwd() may return FALSE on failure
// Handle if could not get the current-working-directory
if (!$uploadFolder) {
// Could not get the current working directory
return "";
}
// Ensure the filename does not already exist in the upload-folder
// If so assign a new, random name for the file
$fileName = file_exists("{$uploadFolder}/{$fileName}") ? str_shuffle(md5(microtime().time())).".{$fileExtension}" : $fileName;
// Attempt to move the file into the current-working-directory
if (move_uploaded_file($file["tmp_name"], "{$uploadFolder}/{$fileName}")) {
// File upload [to the current working directory] success
return "{$fileName}";
} else {
// File upload [to the current working directory] failed
return "";
}
}
// If a client supplied a name for $uploadFolder
// Ensure the supplied folder-name does exist, if not create it
if (!is_dir($uploadFolder)) {
if (!mkdir($uploadFolder, 0511, true)) {
// mkdir() function above may produce a "folder-not-found" warning
// Failed to create the folder
return "";
}
}
// Ensure the filename does not already exist in the upload-folder
// If so assign a new, random name for the file
$fileName = file_exists("{$uploadFolder}/{$fileName}") ? str_shuffle(md5(microtime().time())).".{$fileExtension}" : $fileName;
// Attempt to upload the $fileName to $uploadFolder
if (move_uploaded_file($file["tmp_name"], "{$uploadFolder}/{$fileName}")) {
// File upload [to specified folder] success
return "{$fileName}";
} else {
// File upload [to specified folder] failed
return "";
}
}
?>