The following upload script seems to be working on PCs but not on
Macs. Can anyone imagine a reason why? Could there be something in the
form that turns in flawed data, or could IE on a Mac not pass along
certain data that Netscape and IE do on a PC?
function standardImageUpload() {
$controllerForAll = & getController();
$insertObject = & $controllerForAll->getObject("McTransactions", " in
standardImageUpload().");
$formatTextObject = & $controllerForAll->getObject("McFormatText", "
in standardImageUpload().");
$resultsObject = & $controllerForAll->getObject("McResults", " in
standardImageUpload().");
$config = getConfig();
$pathToImageFolder = $config["pathToImageFolder"];
$imagesFolder = $config["imagesFolder"];
global $uploadedFile, $uploadedFile_size, $uploadedFile_name;
if (!$uploadedFile) {
$uploadedFile = $controllerForAll->getVar("$uploadedFile");
$uploadedFile_size =
$controllerForAll->getVar("$uploadedFile_size");
$uploadedFile_size =
$controllerForAll->getVar("$uploadedFile_size");
}
$uploadedFile_name =
$formatTextObject->processFileName($uploadedFile_name);
$uploadedFile_name = htmlspecialchars($uploadedFile_name);
// 04-20-04 - we need to keep hackers from uploading files with PHP,
or if they do, we need to keep those files
// from being sent to the PHP parser. So we look for typical PHP
extensions.
$fileSafe = true;
$ext = substr($uploadedFile_name, -4);
if ($ext == "php3") $fileSafe = false;
if ($ext == ".php") $fileSafe = false;
if ($ext == ".inc") $fileSafe = false;
if ($ext == "phtm") $fileSafe = false;
$ext = substr($uploadedFile_name, -5);
if ($ext == "phtml") $fileSafe = false;
if ($fileSafe) {
$absolutePath .= $pathToImageFolder.$uploadedFile_name;
$urlPath .= $imagesFolder.$uploadedFile_name;
if (is_dir($pathToImageFolder)) {
if (!file_exists($absolutePath)) {
if (copy($uploadedFile, $absolutePath)) {
$resultsObject->addToResults("Success: The image or file
'$uploadedFile_name' has been uploaded. If you wish to reference it
this is the address: <a href='$urlPath'>$uploadedFile_name</a>");
} else {
if ($uploadedFile_size > 2000000) {
$resultsObject->addToResults("Error: the upload failed. Your
file of '$uploadedFile_name' is not uploaded. It is very large, with a
size of $uploadedFile_size. This may have been a factor in its
failure.");
} else {
$resultsObject->addToResults("Error: the upload failed. Your
file of '$uploadedFile_name' is not uploaded.");
}
}
} else {
$resultsObject->addToResults("Error: a file with the same name as
the one you are uploading already exists. Please delete the old file
first, and then upload the new one.");
}
} else {
$resultsObject->error("We tried to copy the image to the image
folder that is specified in your site's configuration, yet the folder
doesn't seem to be there.", "standardImageUpload");
}
$controllerForAll->import("standardInsert", " in
standardImageUpload().");
standardInsert();
} else {
$resultsObject->addToResults("<b>Error:</b> Terribly sorry, but it
looks like you're trying to upload a PHP file. For security reasons,
this is not allowed. The extension on your file was '$ext'.");
}
}
