Is there a way during the upload to check the filename and stop the upload if it is not a true image file, i know some header information can be added to php files to make them appear to be true images,
i am currently using a htaccess file in the pictures folder but i would prefer to prevent upload if that is possible.
is there a way to search the content of an image for php tags etc
// HANDLE UPLOAD & SUBMIT /////////////////////////////////////////////////////
/*
Submit occured? Let's handle that!
*/
if (isset($_POST["Submit"])) {
/*
We will check if we got a picture, attribute it a name, and
save it to the temporary directory.
*/
if (is_uploaded_file($_FILES["file"]["tmp_name"])) {
if (strstr(basename($_FILES["file"]["name"]), ".")) {
$fileChunks = explode(".", basename($_FILES["file"]["name"]));
$fileExtention = $fileChunks[count($fileChunks)-1];
if (in_array($fileExtention, explode(",", $CONF["PICTURES_ALLOWED_EXTENTIONS"]))) {
$filename = md5(uniqid(time(), 1)) . "." . $fileExtention;
move_uploaded_file($_FILES["file"]["tmp_name"], "system/cache/temp/{$filename}");
/*
Generate the picture data array, this is
the picture information data pack - it is
generated here as we may need it later ...
*/
$pictureDataArray = array(
"NAME" => $_POST["title"],
"DESCRIPTION" => $_POST["description"],
"FILE" => $filename,
"LIBRARY" =>
(me("mainpicture")==""?NULL:
(isset($_POST["grouptext"])&&$_POST["grouptext"]!=""?$_POST["grouptext"]:$_POST["grouplist"])
),
"PRIVATE" => (isset($_POST["private"])?true:false),
"MAIN" => (me("mainpicture")==""?true:false),
"DATE" => date("U"),
"APPROVED" => $CONF["PICTURES_AUTO_APPROVE"],
"ID" => str_replace(" ", "", uniqid(0))
);
rename("system/cache/temp/{$filename}", "system/cache/pictures/{$filename}");
thanks in advance.
