How safe is this method for dealing with files submitted for use as an avatar?
/*
For live site if someone isn't logged in, the script will end
*/
if (!isset($_SESSION['user_id'])) {
$user_id = 0;
} else {
$user_id = $_SESSION['user_id'];
}
if ( $_SERVER['HTTP_REFERER'] <> 'http://localhost/universal_empires/usercp/uploadavatar' ) {
$this->sys_message->add_sys_message('e','Access Denied!',"Sorry, something went wrong with this page, the Administrators have been alterted!",'http://localhost/universal_empires/usercp/uploadavatar');
return false;
}
if ( !is_uploaded_file($_FILES['upload']['tmp_name']) ) {
$this->sys_message->add_sys_message('e','No Avatar Selected!',"Sorry, you didn't select a image to use as an avatar! You Numpty!",'http://localhost/universal_empires/usercp/uploadavatar');
return false;
}
if ($_FILES['upload']['size'] > 8192 ) {
$this->sys_message->add_sys_message('e','File Too Large!',"Sorry, the file is too large! You Numpty!",'http://localhost/universal_empires/usercp/uploadavatar');
return false;
}
$avatar_name = 'C:\wamp\www\universal_empires\public\avatars\avatar_u'.$user_id.'.png';
$avatar = imagepng(imagecreatefromstring(file_get_contents($_FILES['upload']['tmp_name'])), $avatar_name);
I know that I need to add a bit to shrink the size of the image (width and height). Are there any obvious security flaws that I’ve missed?