Actualiser upload.php
This commit is contained in:
parent
1d9c33c851
commit
c319b3b8aa
54
upload.php
54
upload.php
|
|
@ -10,26 +10,62 @@ $stmt->execute([$ip]);
|
|||
$last = $stmt->fetch();
|
||||
|
||||
if ($last && strtotime($last['created_at']) > time() - 60) {
|
||||
die("Rate limit exceeded (1 post/minute)");
|
||||
die("Attendez 1 minute avant de reposter!");
|
||||
}
|
||||
|
||||
$imageName = null;
|
||||
|
||||
if (!empty($_FILES['image']['name'])) {
|
||||
if ($_FILES['image']['size'] > 2 * 1024 * 1024) {
|
||||
die("Image too large");
|
||||
|
||||
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
|
||||
die("Error de sauvegarde d'image");
|
||||
}
|
||||
|
||||
$ext = strtolower(pathinfo($_FILES['image']['name'], PATHINFO_EXTENSION));
|
||||
if (!in_array($ext, ['png', 'jpeg', 'jpg'])) {
|
||||
die("Invalid file type");
|
||||
if ($_FILES['image']['size'] < 2 * 1024 * 1024) {
|
||||
die("Erreur, Image trop petite.");
|
||||
}
|
||||
|
||||
$imageName = uniqid() . '.' . $ext;
|
||||
move_uploaded_file($_FILES['image']['tmp_name'], "uploads/$imageName");
|
||||
/* Verify MIME type using finfo */
|
||||
$finfo = new finfo(FILEINFO_MIME_TYPE);
|
||||
$mime = $finfo->file($_FILES['image']['tmp_name']);
|
||||
|
||||
$allowedMimes = [
|
||||
'image/png' => 'png',
|
||||
'image/jpeg' => 'jpg'
|
||||
];
|
||||
|
||||
if (!array_key_exists($mime, $allowedMimes)) {
|
||||
die("Type d'image invalid");
|
||||
}
|
||||
|
||||
/* Verify image structure */
|
||||
$imageInfo = getimagesize($_FILES['image']['tmp_name']);
|
||||
if ($imageInfo === false) {
|
||||
die("Le fichier n'est pas une image valide");
|
||||
}
|
||||
|
||||
/* Re-encode image to destroy polyglots */
|
||||
$ext = $allowedMimes[$mime];
|
||||
$imageName = bin2hex(random_bytes(16)) . '.' . $ext;
|
||||
$uploadPath = __DIR__ . "/uploads/" . $imageName;
|
||||
|
||||
if ($mime === 'image/png') {
|
||||
$img = imagecreatefrompng($_FILES['image']['tmp_name']);
|
||||
imagepng($img, $uploadPath);
|
||||
} else {
|
||||
$img = imagecreatefromjpeg($_FILES['image']['tmp_name']);
|
||||
imagejpeg($img, $uploadPath, 90);
|
||||
}
|
||||
|
||||
imagedestroy($img);
|
||||
}
|
||||
|
||||
/* Store comment */
|
||||
$stmt = $pdo->prepare("INSERT INTO posts (message, image, ip) VALUES (?, ?, ?)");
|
||||
$stmt->execute([$_POST['message'], $imageName, $ip]);
|
||||
$stmt->execute([
|
||||
htmlspecialchars($_POST['message'], ENT_QUOTES, 'UTF-8'),
|
||||
$imageName,
|
||||
$ip
|
||||
]);
|
||||
|
||||
header("Location: index.php");
|
||||
|
|
|
|||
Loading…
Reference in New Issue