<?php

header('Content-Type: text/plain; charset=utf-8');

$dir = "../uploads";

$log = "";

try {

// Undefined | Multiple Files | $_FILES Corruption Attack

// If this request falls under any of them, treat it invalid.

if (

!isset($_FILES['upfile']['error']) ||

is_array($_FILES['upfile']['error'])

) {

throw new RuntimeException('Invalid parameters.');

}

// Check $_FILES['upfile']['error'] value.

switch ($_FILES['upfile']['error']) {

case UPLOAD_ERR_OK:

break;

case UPLOAD_ERR_NO_FILE:

throw new RuntimeException('No file sent.');

case UPLOAD_ERR_INI_SIZE:

case UPLOAD_ERR_FORM_SIZE:

throw new RuntimeException('Exceeded filesize limit.');

default:

throw new RuntimeException('Unknown errors.');

}

// You should also check filesize here.

if ($_FILES['upfile']['size'] > 2000000) {

throw new RuntimeException('Exceeded filesize limit.');

}

// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!

// Check MIME Type by yourself.

if (false === $ext = array_search(

my_mime_content_type($_FILES['upfile']['name']),

array(

'jpg' => 'image/jpeg',

'png' => 'image/png',

'gif' => 'image/gif',

'txt' => 'text/plain'

),

true

)) {

throw new RuntimeException('Invalid file format.');

}

// You should name it uniquely.

// DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!

// On this example, obtain safe unique name from its binary data.

if (!move_uploaded_file(

$_FILES['upfile']['tmp_name'],

sprintf("$dir/%s.%s", sha1_file($_FILES['upfile']['tmp_name']), $ext)

/*$dir."/".$_FILES['upfile']['name']*/

)) {

throw new RuntimeException('Failed to move uploaded file.');

}

echo 'File is uploaded successfully.';

$log .= "File is uploaded successfully.\n";

}

catch (RuntimeException $e) {

echo $e->getMessage();

$log .= $e->getMessage()."\n";

}

// logging info

file_put_contents("$dir/log.txt", date('Y-m-d H:i:s')."\n".$log, FILE_APPEND | LOCK_EX);

// my wrapper for mime-content-type

function my_mime_content_type($filename) {

$mime_types = array(

'sql' => 'text/plain',

'txt' => 'text/plain',

'htm' => 'text/html',

'html' => 'text/html',

'php' => 'text/html',

'css' => 'text/css',

'js' => 'application/javascript',

'json' => 'application/json',

'xml' => 'application/xml',

'swf' => 'application/x-shockwave-flash',

'flv' => 'video/x-flv',

// images

'png' => 'image/png',

'jpe' => 'image/jpeg',

'jpeg' => 'image/jpeg',

'jpg' => 'image/jpeg',

'gif' => 'image/gif',

'bmp' => 'image/bmp',

'ico' => 'image/vnd.microsoft.icon',

'tiff' => 'image/tiff',

'tif' => 'image/tiff',

'svg' => 'image/svg+xml',

'svgz' => 'image/svg+xml',

// archives

'zip' => 'application/zip',

'rar' => 'application/x-rar-compressed',

'exe' => 'application/x-msdownload',

'msi' => 'application/x-msdownload',

'cab' => 'application/vnd.ms-cab-compressed',

// audio/video

'mp3' => 'audio/mpeg',

'qt' => 'video/quicktime',

'mov' => 'video/quicktime',

// adobe

'pdf' => 'application/pdf',

'psd' => 'image/vnd.adobe.photoshop',

'ai' => 'application/postscript',

'eps' => 'application/postscript',

'ps' => 'application/postscript',

// ms office

'doc' => 'application/msword',

'rtf' => 'application/rtf',

'xls' => 'application/vnd.ms-excel',

'ppt' => 'application/vnd.ms-powerpoint',

// open office

'odt' => 'application/vnd.oasis.opendocument.text',

'ods' => 'application/vnd.oasis.opendocument.spreadsheet',

);

$ext = strtolower(array_pop(explode('.',$filename)));

if (array_key_exists($ext, $mime_types)) {

return $mime_types[$ext];

}

elseif (function_exists('finfo_open')) {

$finfo = finfo_open(FILEINFO_MIME);

$mimetype = finfo_file($finfo, $filename);

finfo_close($finfo);

return $mimetype;

}

else {

return 'application/octet-stream';

}

}

?>