80 lines
2.1 KiB
PHP
80 lines
2.1 KiB
PHP
<?php
|
|
session_start();
|
|
require 'db.php';
|
|
|
|
$ip = $_SERVER['REMOTE_ADDR'];
|
|
|
|
/* Rate limit: 1 post / minute */
|
|
$stmt = $pdo->prepare("SELECT created_at FROM posts WHERE ip=? ORDER BY created_at DESC LIMIT 1");
|
|
$stmt->execute([$ip]);
|
|
$last = $stmt->fetch();
|
|
|
|
if ($last && strtotime($last['created_at']) > time() - 60) {
|
|
die("Attendez 1 minute avant de reposter!");
|
|
}
|
|
|
|
$imageName = null;
|
|
|
|
if (!empty($_FILES['image']['name'])) {
|
|
|
|
// Vérifier si l'upload s'est bien passé
|
|
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
|
|
die("Erreur lors de l'upload de l'image");
|
|
}
|
|
|
|
// Vérifier que le fichier temporaire existe
|
|
if (!is_uploaded_file($_FILES['image']['tmp_name'])) {
|
|
die("Fichier non valide ou non téléchargé");
|
|
}
|
|
|
|
// Vérifier la taille (max 2 Mo ici)
|
|
if ($_FILES['image']['size'] > 2 * 1024 * 1024) {
|
|
die("Image trop grosse (max 2 Mo)");
|
|
}
|
|
|
|
// Vérifier le type MIME réel
|
|
$finfo = new finfo(FILEINFO_MIME_TYPE);
|
|
$mime = $finfo->file($_FILES['image']['tmp_name']);
|
|
|
|
$allowedMimes = [
|
|
'image/png' => 'png',
|
|
'image/jpeg' => 'jpg'
|
|
];
|
|
|
|
if (!array_key_exists($mime, $allowedMimes)) {
|
|
die("Type d'image invalide");
|
|
}
|
|
|
|
// Vérifier que c'est bien une image
|
|
$imageInfo = getimagesize($_FILES['image']['tmp_name']);
|
|
if ($imageInfo === false) {
|
|
die("Le fichier n'est pas une image valide");
|
|
}
|
|
|
|
// Re-encoder l'image pour éviter les polyglots
|
|
$ext = $allowedMimes[$mime];
|
|
$imageName = bin2hex(random_bytes(16)) . '.' . $ext;
|
|
$uploadPath = __DIR__ . "/uploads/" . $imageName;
|
|
|
|
if ($mime === 'image/png') {
|
|
$img = imagecreatefrompng($_FILES['image']['tmp_name']);
|
|
imagepng($img, $uploadPath);
|
|
} else {
|
|
$img = imagecreatefromjpeg($_FILES['image']['tmp_name']);
|
|
imagejpeg($img, $uploadPath, 90);
|
|
}
|
|
|
|
imagedestroy($img);
|
|
}
|
|
|
|
|
|
/* Store comment */
|
|
$stmt = $pdo->prepare("INSERT INTO posts (message, image, ip) VALUES (?, ?, ?)");
|
|
$stmt->execute([
|
|
htmlspecialchars($_POST['message'], ENT_QUOTES, 'UTF-8'),
|
|
$imageName,
|
|
$ip
|
|
]);
|
|
|
|
header("Location: index.php");
|