I have a form for adding content that I use that allows image uploading that sends the upload through another PHP script. It works great for us, and now I want to setup the same system for my moderators to use, but want to secure the image upload part of the script.
For instance, I want to add functions that:
- Return an uploadError if the file name already exists
- Reject the upload if not a jpg/gif image.
define("UPLOADDIR", "". $_SERVER['DOCUMENT_ROOT'] ."/folder/images/");
// Detect if it is an AJAX request
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
$file = array_shift($_FILES);
if(move_uploaded_file($file['tmp_name'], UPLOADDIR . basename($file['name']))) {
$file = dirname($_SERVER['PHP_SELF']) . str_replace('./', '/', UPLOADDIR) . $file['name'];
$file = str_replace("/source/directory/", "", $file);
$data = array(
'success' => true,
'file' => $file,
);
} else {
$error = true;
$data = array(
'message' => 'uploadError',
);
}
} else {
$data = array(
'message' => 'uploadNotAjax',
'formData' => $_POST
);
}
All feedback appreciated
Ryan