creptor
commented
8 years ago First, the code is not good. Every part of it contradicts the others, there're also missing parameters.
Second, and most important, adding any kind of file upload to the web pages is a serious security risk, I recommend, despite the fact that in the videos shows how to make it work, that you don't use it.
Security could be implemented only on a system that supports chmod, so if you're on windows.... bad luck 😢 (if it is a IIS server read this).
Third thing, please always, always, verify the file that is has been uploaded, it could have malicious code in it, can replace a core file, etc. (The hackers like you when letting anyone upload anything, so you don't have to make mistakes).
Finally, how to do it....
I haven't test this script fully, so please bear in mind that it might not work.... mine is not complete, so this is a rewrite. There're two ways to upload a file.... the lazy way, as is demonstrated here: http://www.w3schools.com/php/php_file_upload.asp
Or the complete way, with a script like this one (for single file upload):
<?php
try {
// The new file will have a random generated name, can be changed to date if you want, but it must have a part randomize
// Change here the location where you want the file to go (must end with the DIRECTORY_SEPARATOR)
$targetPath=dirname(__FILE__).DIRECTORY_SEPARATOR.'uploads'.DIRECTORY_SEPARATOR;
 Â
  // Undefined | Multiple Files | $_FILES Corruption Attack
  // If this request falls under any of them, treat it invalid.
  if (
    !isset($_FILES['upfile']['error']) ||
    is_array($_FILES['upfile']['error'])
  ) {
    throw new RuntimeException('Invalid parameters.');
  }
  // Check $_FILES['upfile']['error'] value.
  switch ($_FILES['upfile']['error']) {
    case UPLOAD_ERR_OK:
      break;
    case UPLOAD_ERR_NO_FILE:
      throw new RuntimeException('No file sent.');
    case UPLOAD_ERR_INI_SIZE:
    case UPLOAD_ERR_FORM_SIZE:
      throw new RuntimeException('Exceeded filesize limit.');
    default:
      throw new RuntimeException('Unknown errors.');
  }
  // You should also check filesize here.
  if ($_FILES['upfile']['size'] > 1000000) {
    throw new RuntimeException('Exceeded filesize limit.');
  }
  // DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
  // Check MIME Type by yourself.
  $finfo = new finfo(FILEINFO_MIME_TYPE);
  if (false === $ext = array_search(
    $finfo->file($_FILES['upfile']['tmp_name']),
    array(
      'jpg' => 'image/jpeg',
      'png' => 'image/png',
      'gif' => 'image/gif',
    ),
    true
  )) {
    throw new RuntimeException('Invalid file format.');
  }
  // You should name it uniquely.
  // DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
  // On this example, obtain safe unique name from its binary data.
  if (!move_uploaded_file(
    $_FILES['upfile']['tmp_name'],
    sprintf('%s%s.%s',
$targetPath,
      sha1_file($_FILES['upfile']['tmp_name']),
      $ext
    )
  )) {
    throw new RuntimeException('Failed to move uploaded file.');
  }
  echo 'File is uploaded successfully.';
} catch (RuntimeException $e) {
  echo $e->getMessage();
}
?> Lot of research so that explains why I took so long to respond 😢
bidjan
Hi creptor:
Users.php is located in views folder Uploads.php is located in admin folder.
Please explain to me how we can run uploads.php from within users.php by using the following script