Simple and effective Upload Script
Code:
<?php
function generateCode($characters){
$possible = '23456789bcdfghjkmnpqrstvwxyz';
$code = '';
$i = 0;
while($i <= $characters){
$code .= substr($possible, mt_rand(0, strlen($possible) - 1),1);
$i++;
}
return $code;
}
if(isset($_POST['MAX_FILE_SIZE'])){
$file = explode('.',$_FILES['file']['name']);
if(count($file) <= 2){
$code = generateCode(5);
$fileName = $file[0].'-'.$code.'.'.$file[1];
$target = 'images/'.$fileName;
switch($_FILES['file']['type']){
case 'image/gif':
case 'image/jpg':
case 'image/jpeg':
case 'image/png':
if(@move_uploaded_file($_FILES['file']['tmp_name'],$target)){
echo 'The file '.$file[0].'.'.$file[1].' has been uploaded.<br>';
echo 'You can find it at <a href="http://'.$_SERVER['HTTP_HOST'].'/'.$target.'">this link</a> (http://'.$_SERVER['HTTP_HOST'].'/'.$target.').';
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?nfn='.base64_encode(urlencode($target)).'&ofn='.base64_encode(urlencode($file[0].'.'.$file[1])));
} else {
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?e=3');
}
break;
default:
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?e=2');
break;
}
} else {
header('Location: http://'.$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'].'?e=1');
}
} else {
if(isset($_GET['e'])){
switch($_GET['e']){
case 1:
case 2:
echo '<div>That filetype isn\'t allowed!</div>';
break;
case 3:
echo '<div>There was an error uploading the file, please try again.</div>';
break;
default:
break;
}
} elseif(isset($_GET['nfn']) && isset($_GET['ofn'])){
$nfn = urldecode(base64_decode($_GET['nfn'])); // New filename
$ofn = urldecode(base64_decode($_GET['ofn'])); // Original filename
echo '<div>The file '.$ofn.' has been uploaded.<br>';
echo 'You can find it at <a href="http://'.$_SERVER['HTTP_HOST'].'/'.$nfn.'">this link</a> (http://'.$_SERVER['HTTP_HOST'].'/'.$nfn.').</div>';
}
echo 'Accepted types: png, jpg, jpeg, gif';
echo '<form enctype="multipart/form-data" action="upload.php" method="post">';
echo '<input type="hidden" name="MAX_FILE_SIZE" value="100000">';
echo '<input name="file" type="file"><br>';
echo '<input type="submit" value="Upload">';
echo '</form>';
}
?>
This is a simple and effective upload script I've writen in PHP. Currently, it's used to upload strictly jpg/jpeg/png/gif images.
What the script does (unedited):
- Checks to make sure there's no more than one extension to the file (i.e. image.jpg.gif cannot be uploaded).
- Does a switch statement on the mime-types to make sure they're valid.
- When uploaded, is placed into a directory and adds a randomized five-character alphanumerical value to keep images from being overwritten.
- When the image is submitted, the user is directly moved to a new page. This prevents the user from refreshing the page and continuously re-upload the image with the same $_POST data. This is a particularly the biggest mistake in a large majority of upload scripts I've encountered.
The only thing I can see as a small flaw in this script is the information displayed that the image name submitted was uploaded to the directory with the five character key at the end. This isn't any sort of flaw to the way the image uploads or the security of it though.
Demo here: [Only registered and activated users can see links. Click Here To Register...].
You can also find the script source on my website: [Only registered and activated users can see links. Click Here To Register...].
Enjoy.
