حالا سوای مشکل ات هیچ وقت عکس رو اینطوری اعتبار سنجی نکن. چون من اولین نفری خواهم بود که سایتت را (البته بعنوان هکر کلاه سفید) هک خواهم کرد.
به کمک کتابخانه gd2 عکس را باز کن و از اونجا بررسی کن.
function handleUpload($option, $type = 'image', $fieldName, $uploadPath, $oldfile = '')
{
echo "<pre>" . $option . $type . $fieldName . $uploadPath;
print_r($_FILES);
echo "</pre>";
//any errors the server registered on uploading
$fileError = $_FILES[$fieldName]['error'];
if ($fileError > 0)
{
echo "form error!";
switch ($fileError)
{
case 1:
echo JText::_( 'FILE TO LARGE THAN PHP INI ALLOWS' );
return;
case 2:
echo JText::_( 'FILE TO LARGE THAN HTML FORM ALLOWS' );
return;
case 3:
echo JText::_( 'ERROR PARTIAL UPLOAD' );
return;
case 4:
echo JText::_( 'ERROR NO FILE' );
return;
}
}
//import joomlas filesystem functions, we will do all the filewriting with joomlas functions,
//so if the ftp layer is on, joomla will write with that, not the apache user, which might
//not have the correct permissions
jimport('joomla.filesystem.file');
jimport('joomla.filesystem.folder');
//check the file extension is ok
$fileName = $_FILES[$fieldName]['name'];
$uploadedFileNameParts = explode('.',$fileName);
$uploadedFileExtension = array_pop($uploadedFileNameParts);
if($type == 'image') $ext = 'jpeg,jpg,png,gif';
elseif($type == 'pdf') $ext = 'pdf';
$validFileExts = explode(',', $ext);
//assume the extension is false until we know its ok
$extOk = false;
//go through every ok extension, if the ok extension matches the file extension (case insensitive)
//then the file extension is ok
foreach($validFileExts as $key => $value)
{
if( preg_match("/$value/i", $uploadedFileExtension ) )
{
$extOk = true;
}
}
if ($extOk == false)
{
echo JText::_( 'INVALID EXTENSION' );
return;
}
//the name of the file in PHP's temp directory that we are going to move to our folder
$fileTemp = $_FILES[$fieldName]['tmp_name'];
if($type == 'image'){
//for security purposes, we will also do a getimagesize on the temp file (before we have moved it
//to the folder) to check the MIME type of the file, and whether it has a width and height
$imageinfo = getimagesize($fileTemp);
//we are going to define what file extensions/MIMEs are ok, and only let these ones in (whitelisting), rather than try to scan for bad
//types, where we might miss one (whitelisting is always better than blacklisting)
$okMIMETypes = 'image/jpeg,image/pjpeg,image/png,image/x-png,image/gif';
$validFileTypes = explode(",", $okMIMETypes);
//if the temp file does not have a width or a height, or it has a non ok MIME, return
if( !is_int($imageinfo[0]) || !is_int($imageinfo[1]) || !in_array($imageinfo['mime'], $validFileTypes) )
{
if($imageinfo[0] > 400 || $imageinfo[1] > 400){
echo JText::_( 'INVALID FILETYPE' );
return false;
}
}
}
//lose any special characters in the filename
$fileName = date('Y-z-His') . '-' . ereg_replace("[^A-Za-z0-9.]", "", $fileName);
//always use constants when making file paths, to avoid the possibilty of remote file inclusion
$uploadPath .= $fileName;
if(!JFile::upload($fileTemp, $uploadPath))
{
exit;
echo JText::_( 'ERROR MOVING FILE' );
return false;
}
else
{
// success, exit with code 0 for Mac users, otherwise they receive an IO Error
if($oldfile != '')
{
if($type == 'image' && $oldfile != '')
{
deleteCoverpic($oldfile);
}
else
{
deletePDF($oldfile);
}
}
return $fileName;
}
exit;
}
ببخشید طولانیه. ماله یکی از پروژه های جوملاام هست.