sibtracker/system/ajax/upload.php

254 lines
8.4 KiB
PHP
Raw Normal View History

2019-05-18 13:46:03 +08:00
<?php
@error_reporting( E_ALL ^ E_NOTICE );
@ini_set( 'display_errors', true );
@ini_set( 'html_errors', false );
@ini_set( 'error_reporting', E_ALL ^ E_NOTICE );
define( 'DATALIFEENGINE', true );
define( 'ROOT_DIR', substr( dirname( __FILE__ ), 0, -12 ) );
define( 'SYSTEM_DIR', ROOT_DIR . '/system' );
if( isset( $_POST["PHPSESSID"] ) ) {
session_id( $_POST["PHPSESSID"] );
}
session_start();
function msg_error($message, $code = 500) {
if ($code == 401) header( "HTTP/1.1 401 Unauthorized" );
elseif($code == 403) header( "HTTP/1.1 403 Forbidden" );
elseif($code == 405) header( "HTTP/1.1 405 Method Not Allowed" );
else header( "HTTP/1.1 500 Internal Server Error" );
echo $message;
exit( 0 );
}
if( ! isset( $_FILES['Filedata'] ) || ! is_uploaded_file( $_FILES['Filedata']['tmp_name'] ) || $_FILES['Filedata']['error'] != 0 ) {
msg_error( "There was a problem with the upload", 405 );
}
require_once SYSTEM_DIR . '/data/config.php';
require_once SYSTEM_DIR . '/classes/mysql.php';
require_once SYSTEM_DIR . '/data/dbconfig.php';
require_once SYSTEM_DIR . '/inc/include/functions.inc.php';
$user_group = $cache->get( "usergroup" );
if( ! $user_group ) {$user_group = array ();
$db->query( "SELECT * FROM " . USERPREFIX . "_usergroups ORDER BY id ASC" );
while ( $row = $db->get_row() ) {$user_group[$row['id']] = array ();
foreach ( $row as $key => $value ) {$user_group[$row['id']][$key] = stripslashes($value);}
}
$cache->set( "usergroup", $user_group );
$db->free();
}
require_once SYSTEM_DIR . '/modules/sitelogin.php';
if( ! $is_logged ) {msg_error( "Not Logged", 401 );}
if( ! $user_group[$member_id['user_group']]['allow_image_upload'] ) {msg_error( "Not Allowed", 401 );}
$allowed_extensions = array ("gif", "jpg", "png", "jpe", "jpeg" );
$allowed_files = explode( ',', strtolower( $config['files_type'] ) );
if( intval( $_REQUEST['news_id'] ) ) $news_id = intval( $_REQUEST['news_id'] ); else $news_id = 0;
if( isset( $_REQUEST['area'] ) ) $area = totranslit( $_REQUEST['area'] ); else $area = "";
if( isset( $_REQUEST['author'] ) ) $author = @$db->safesql( strip_tags( convert_unicode($_REQUEST['author'], $config['charset'] ) ) ); else $author = "";
if ( !$author ) $author = $member_id['name'];
//if( $member_id['user_group'] < 4 ) {
$config['max_image'] = $_POST['t_size'] ? $_POST['t_size'] : $config['max_image'];
$_POST['t_seite'] = intval( $_POST['t_seite'] );
$config['allow_watermark'] = intval( $_POST['make_watermark'] ) ? "yes" : "no";
$_POST['make_thumb'] = true;
//} else {$_POST['t_seite'] = 0;$_POST['make_thumb'] = true;}
$thumb_size = $config['max_image'];
$thumb_size = explode ("x", $thumb_size);
if ( count($thumb_size) == 2) {
$thumb_size = intval($thumb_size[0]) . "x" . intval($thumb_size[1]);
} else {
$thumb_size = intval( $thumb_size[0] );
}
$config['max_image'] = $thumb_size;
if (@ini_get( 'safe_mode' ) == 1)
define( 'FOLDER_PREFIX', "" );
else
define( 'FOLDER_PREFIX', date( "Y-m" ) );
if( ! is_dir( ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX ) ) {
@mkdir( ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX, 0777 );
@chmod( ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX, 0777 );
@mkdir( ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX . "/thumbs", 0777 );
@chmod( ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX . "/thumbs", 0777 );
}
if( ! is_dir( ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX ) ) {
msg_error( "/uploads/posts/" . FOLDER_PREFIX . "/ cannot created.", 403 );
}
$upload_path = ROOT_DIR . "/uploads/posts/" . FOLDER_PREFIX . "/";
$file_prefix = time() + rand( 1, 100 );
$file_prefix .= "_";
$image = $_FILES['Filedata']['tmp_name'];
$image_name = $_FILES['Filedata']['name'];
$image_size = $_FILES['Filedata']['size'];
$img_name_arr = explode( ".", $image_name );
$type = totranslit( end( $img_name_arr ) );
$curr_key = key( $img_name_arr );
unset( $img_name_arr[$curr_key] );
$image_name = totranslit( convert_unicode( implode( ".", $img_name_arr ), $config['charset'] ) ) . "." . $type;
$image_name = str_replace( "..", ".", $image_name );
if( stripos ( $image_name, "php" ) !== false ) die("Hacking attempt!");
if( stripos ( $image_name, "phtml" ) !== false ) die("Hacking attempt!");
if( stripos ( $image_name, ".htaccess" ) !== false ) die("Hacking attempt!");
if( $config['files_allow'] == "yes" and $user_group[$member_id['user_group']]['allow_file_upload'] and in_array( strtolower( $type ), $allowed_files ) ) {
if( intval( $config['max_file_size'] ) and $image_size > ($config['max_file_size'] * 1024) ) {
msg_error( "File too big", 403 );
}
if( move_uploaded_file( $image, ROOT_DIR . "/uploads/files/" . $file_prefix . $image_name ) ) {
@chmod( ROOT_DIR . "/uploads/files/" . $file_prefix . $image_name, 0666 );
$added_time = time() + ($config['date_adjust'] * 60);
if( $area == "template" ) {
$db->query( "INSERT INTO " . PREFIX . "_static_files (static_id, author, date, name, onserver) values ('$news_id', '{$author}', '$added_time', '$image_name', '{$file_prefix}{$image_name}')" );
} else {
$db->query( "INSERT INTO " . PREFIX . "_files (news_id, name, onserver, author, date) values ('$news_id', '$image_name', '{$file_prefix}{$image_name}', '{$author}', '$added_time')" );
}
$db->close();
echo ("Ok");
} else {
msg_error( "Upload Error", 403 );
}
} elseif( in_array( strtolower( $type ), $allowed_extensions ) and $user_group[$member_id['user_group']]['allow_image_upload'] ) {
if( file_exists( $upload_path . $image_name ) ) {
msg_error( "Image exist", 500 );
} elseif( $image_size > ($config['max_up_size'] * 1024) and ! $config['max_up_side'] ) {
msg_error( "Image too big", 500 );
}
if( @move_uploaded_file( $image, $upload_path . $file_prefix . $image_name ) ) {
@chmod( $upload_path . $file_prefix . $image_name, 0666 );
if( $area != "template" ) {
$row = $db->super_query( "SELECT COUNT(*) as count FROM " . PREFIX . "_images where author = '{$author}' AND news_id = '$news_id'" );
if( ! $row['count'] ) {
$added_time = time() + ($config['date_adjust'] * 60);
$inserts = FOLDER_PREFIX . "/" . $file_prefix . $image_name;
$db->query( "INSERT INTO " . PREFIX . "_images (images, author, news_id, date) values ('$inserts', '{$author}', '$news_id', '$added_time')" );
} else {
$row = $db->super_query( "SELECT images FROM " . PREFIX . "_images where author = '{$author}' AND news_id = '$news_id'" );
if( $row['images'] == "" ) $listimages = array ();
else $listimages = explode( "|||", $row['images'] );
foreach ( $listimages as $dataimages ) {
if( $dataimages == FOLDER_PREFIX . "/" . $file_prefix . $image_name ) $error_image = "stop";
}
if( $error_image != "stop" ) {
$listimages[] = FOLDER_PREFIX . "/" . $file_prefix . $image_name;
$row['images'] = implode( "|||", $listimages );
$db->query( "UPDATE " . PREFIX . "_images set images='{$row['images']}' where author = '{$author}' AND news_id = '$news_id'" );
}
}
}
if( $area == "template" ) {
$added_time = time() + ($config['date_adjust'] * 60);
$inserts = FOLDER_PREFIX . "/" . $file_prefix . $image_name;
$db->query( "INSERT INTO " . PREFIX . "_static_files (static_id, author, date, name) values ('$news_id', '{$author}', '$added_time', '$inserts')" );
}
include_once SYSTEM_DIR . '/classes/thumb.class.php';
$thumb = new thumbnail( $upload_path . $file_prefix . $image_name );
if( $_POST['make_thumb'] ) {
if( $thumb->size_auto( $config['max_image'], $_POST['t_seite'] ) ) {
$thumb->jpeg_quality( $config['jpeg_quality'] );
if( $config['allow_watermark'] == "yes" ) $thumb->insert_watermark( $config['max_watermark'] );
$thumb->save( $upload_path . "thumbs/" . $file_prefix . $image_name );
@chmod( $upload_path . "thumbs/" . $file_prefix . $image_name, 0666 );
}
}
if( $config['allow_watermark'] == "yes" or $config['max_up_side'] ) {
$thumb = new thumbnail( $upload_path . $file_prefix . $image_name );
$thumb->jpeg_quality( $config['jpeg_quality'] );
if( $config['max_up_side'] ) $thumb->size_auto( $config['max_up_side'] );
if( $config['allow_watermark'] == "yes" ) $thumb->insert_watermark( $config['max_watermark'] );
$thumb->save( $upload_path . $file_prefix . $image_name );
}
$db->close();
echo ("Ok");
} else {
msg_error( "Upload Error", 403 );
}
} else {
msg_error( "Not Allowed Type", 403 );
}
?>