Skip to content
Snippets Groups Projects
Commit 75d51b3a authored by Sibidharan's avatar Sibidharan :speech_balloon:
Browse files

image validation, retrival and rewrites

parent 223c87ec
No related branches found
No related tags found
No related merge requests found
ErrorDocument 404 /error.php
ErrorDocument 500 "<H1>Some error, contact administrator</H1>"
RewriteEngine On
RewriteBase /
RewriteRule ^/?files/([^/]+)?$ files.php?name=$1 [L,QSA,NC]
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^([^/.]+)$ $1.php [L]
\ No newline at end of file
<?
<?php
?>
......@@ -7,11 +7,13 @@
<form method="post" action="sg.php" enctype="multipart/form-data">
<div class="col-lg-6 col-md-8 mx-auto">
<h1 class="fw-light">What are you upto,
<?=Session::getUser()->getUsername()?>?</h1>
<?=Session::getUser()->getUsername()?>?
</h1>
<p class="lead text-muted">Share a photo that talks about it.</p>
<textarea id="post_text" name="post_text" class="form-control" placeholder="What are you upto?" rows="3"></textarea>
<textarea id="post_text" name="post_text" class="form-control" placeholder="What are you upto?"
rows="3"></textarea>
<div class="input-group mb-3">
<input type="file" class="form-control" name="post_image" id="inputGroupFile02">
<input type="file" accept="image/*" class="form-control" name="post_image" id="inputGroupFile02">
<!-- <label class="input-group-text" for="inputGroupFile02">Upload</label> -->
</div>
<p>
......
<?php
include 'libs/load.php';
$upload_path = get_config('upload_path');
$fname = $_GET['name'];
$image_path = $upload_path . $fname;
// echo $image_path;
//To prevent directory traversal vulnerablity
$image_path = str_replace('..', '', $image_path);
if (is_file($image_path)) {
//TODO: Lot of security things to think about here
header("Content-Type:".mime_content_type($image_path));
header("Content-Length:".filesize($image_path));
echo file_get_contents($image_path);
}
<?php
include_once __DIR__ . "/../traits/SQLGetterSetter.trait.php";
class Post {
class Post
{
use SQLGetterSetter;
public static function registerPost($text, $image_tmp) {
if(isset($_FILES['post_image'])) {
public static function registerPost($text, $image_tmp)
{
if (is_file($image_tmp) and exif_imagetype($image_tmp) !== false) {
$author = Session::getUser()->getEmail();
$image_name = md5($author.time()) . ".jpg"; #TODO: change the id gen algo
$image_name = md5($author.time()) . image_type_to_extension(exif_imagetype($image_tmp));
$image_path = get_config('upload_path') . $image_name;
if(move_uploaded_file($image_tmp, $image_path)){
$ls = `ls`;
print_r($ls);
$insert_command = "INSERT INTO `posts` (`post_text`, `image_uri`, `like_count`, `uploaded_time`, `owner`)
VALUES ('$text', 'https://c8.alamy.com/comp/RJR7N5/random-objects-on-black-background-vector-illustration-RJR7N5.jpg', '0', now(), '$author')";
if (move_uploaded_file($image_tmp, $image_path)) {
$image_uri = "/images/$image_name";
$insert_command = "INSERT INTO `posts` (`post_text`, `multiple_images`, `image_uri`, `like_count`, `uploaded_time`, `owner`) VALUES ('$text', 0, '$image_uri', '0', now(), '$author')";
$db = Database::getConnection();
if($db->query($insert_command)){
if ($db->query($insert_command)) {
$id = mysqli_insert_id($db);
return new Post($id);
} else {
return false;
}
}
} else {
throw new Exception("Image not uploaded");
}
}
public function __construct($id){
$this->id = $id;
$this->conn = Database::getConnection();
$this->table = 'posts';
public function __construct($id)
{
$this->id = $id;
$this->conn = Database::getConnection();
$this->table = 'posts';
}
}
\ No newline at end of file
}
<?php
<?php
/**
* To use this trait, the PHP Object's constructor should have
* $id, $conn, $tabel variables set.
*
*
* $id - The ID of the MySQL Table Row.
* $conn - The MySQL Connection.
* $table - The MySQL Table Name.
*/
trait SQLGetterSetter {
trait SQLGetterSetter
{
public function __call($name, $arguments)
{
$property = preg_replace("/[^0-9a-zA-Z]/", "", substr($name, 3));
......@@ -18,7 +20,7 @@ trait SQLGetterSetter {
} elseif (substr($name, 0, 3) == "set") {
return $this->_set_data($property, $arguments[0]);
} else {
throw new Exception("Post::__call() -> $name, function unavailable.");
throw new Exception(__CLASS__."::__call() -> $name, function unavailable.");
}
}
......@@ -27,14 +29,18 @@ trait SQLGetterSetter {
if ($this->conn) {
$this->conn = Database::getConnection();
}
$sql = "SELECT `$var` FROM `$this->table` WHERE `id` = $this->id";
//print($sql);
$result = $this->conn->query($sql);
if ($result and $result->num_rows == 1) {
//print("Res: ".$result->fetch_assoc()["$var"]);
return $result->fetch_assoc()["$var"];
} else {
return null;
try {
$sql = "SELECT `$var` FROM `$this->table` WHERE `id` = $this->id";
//print($sql);
$result = $this->conn->query($sql);
if ($result and $result->num_rows == 1) {
//print("Res: ".$result->fetch_assoc()["$var"]);
return $result->fetch_assoc()["$var"];
return null;
return null;
}
} catch (Exception $e) {
throw new Exception(__CLASS__."::_get_data() -> $var, data unavailable.");
}
}
......@@ -43,12 +49,15 @@ trait SQLGetterSetter {
if (!$this->conn) {
$this->conn = Database::getConnection();
}
$sql = "UPDATE `$this->table` SET `$var`='$data' WHERE `id`=$this->id;";
if ($this->conn->query($sql)) {
return true;
} else {
return false;
try {
$sql = "UPDATE `$this->table` SET `$var`='$data' WHERE `id`=$this->id;";
if ($this->conn->query($sql)) {
return true;
} else {
return false;
}
} catch (Exception $e) {
throw new Exception(__CLASS__."::_set_data() -> $var, data unavailable.");
}
}
}
\ No newline at end of file
}
<pre>
<?php
include 'libs/load.php';
$p = new Post(1);
print($p->getPostText());
?>
<pre>
<?php
echo Session::getUser()->getEmail();
$image_tmp = $_FILES['post_image']['tmp_name'];
$text = $_POST['post_text'];
echo $image_tmp;
Post::registerPost($text, $image_tmp);
?></pre>
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment