Browse Source

Add filename checking to reduce spam and red alert option

master
CoalfaxRevamped 2 months ago
parent
commit
06cdec2013
1 changed files with 74 additions and 62 deletions
  1. +74
    -62
      submit_coalburner.php

+ 74
- 62
submit_coalburner.php View File

@@ -1,77 +1,89 @@
<?php session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Captcha validation
include_once $_SERVER['DOCUMENT_ROOT'] . '/vendor/dapphp/securimage/securimage.php';
// Setting variables
// Change this variable to 1 to disable this submission forum, for emergencies only.
$redalert = 0;

$securimage = new Securimage();
if ($securimage->check($_POST['captcha_code']) == false) {
// the code was incorrect
// you should handle the error so that the form processor doesn't continue
// or you can use the following code if there is no validation or you do not know how
echo "The security code entered was incorrect.<br /><br />";
echo "Please go <a href='javascript:history.go(-1)'>back</a> and try again.";
die;
}
if ($redalert == 1) {
die("Error: Red alert is in effect, submissions are disabled, please try again later.");
} else {
// Captcha validation
include_once $_SERVER['DOCUMENT_ROOT'] . '/vendor/dapphp/securimage/securimage.php';

// Image handling
// Check if file was uploaded without errors
if (isset($_FILES["images"]) && $_FILES["images"]["error"] == 0) {
// Checks the file MIME type itself to make sure it's actually a png/jpg/jpeg
$allowed = getimagesize($_FILES["images"]["tmp_name"]);
if ($allowed['mime'] == ("image/png") ||
$allowed['mime'] == ("image/jpg") ||
$allowed['mime'] == ("image/jpeg")||
$allowed['mime'] == ("image/webp")) {
$filename = time() . '_' . $_FILES["images"]["name"];
$filetype = $_FILES["images"]["type"];
$filesize = $_FILES["images"]["size"];
$filetmp = $_FILES["images"]["tmp_name"];
// Verify file size - 5MB maximum
$maxsize = 5 * 1024 * 1024;
if ($filesize > $maxsize) {
die("Error: File size is larger than the allowed limit.");
}
$securimage = new Securimage();
if ($securimage->check($_POST['captcha_code']) == false) {
// the code was incorrect
// you should handle the error so that the form processor doesn't continue
// or you can use the following code if there is no validation or you do not know how
echo "The security code entered was incorrect.<br /><br />";
echo "Please go <a href='javascript:history.go(-1)'>back</a> and try again.";
die;
}

// Image handling
// Check if file was uploaded without errors
if (isset($_FILES["images"]) && $_FILES["images"]["error"] == 0) {
// Checks the file MIME type itself to make sure it's actually a png/jpg/jpeg
$allowed = getimagesize($_FILES["images"]["tmp_name"]);
if ($allowed['mime'] == ("image/png") ||
$allowed['mime'] == ("image/jpg") ||
$allowed['mime'] == ("image/jpeg")||
$allowed['mime'] == ("image/webp")) {
$filename = $_FILES["images"]["name"];
$filetype = $_FILES["images"]["type"];
$filesize = $_FILES["images"]["size"];
$filetmp = $_FILES["images"]["tmp_name"];

if (file_exists("images/" . $filename)) {
die("Error: File already exists.");
}

// Verify file size - 5MB maximum
$maxsize = 5 * 1024 * 1024;
if ($filesize > $maxsize) {
die("Error: File size is larger than the allowed limit.");
}
// Verify MIME type of the file
if (in_array($filetype, $allowed)) {
move_uploaded_file($filetmp, "images/" . $filename);
echo "Image uploaded successfully.<br /><br />";
// Verify MIME type of the file
if (in_array($filetype, $allowed)) {
move_uploaded_file($filetmp, "images/" . $filename);
echo "Image uploaded successfully.<br /><br />";
} else {
echo "Error: There was a problem uploading your image. Please try again.";
}
} else {
echo "Error: There was a problem uploading your image. Please try again.";
echo "Error: " . $_FILES["images"]["error"];
}
} else {
echo "Error: " . $_FILES["images"]["error"];
}
}

// Database variables
$servername = "localhost"; // Make sure to change this to the server your database is on
$username = "root";
$password = "";
$dbname = "coalfax"; // I recommend naming your database something other than this for security reasons
// Database variables
$servername = "localhost"; // Make sure to change this to the server your database is on
$username = "root";
$password = "";
$dbname = "coalfax"; // I recommend naming your database something other than this for security reasons

// Forum handling
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Forum handling
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $conn->prepare("INSERT INTO coalburners (name, proofs, body, images) VALUES (:name, :proofs, :body, :images)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':proofs', $proofs);
$stmt->bindParam(':body', $body);
$stmt->bindParam(':images', $filename);
$stmt = $conn->prepare("INSERT INTO coalburners (name, proofs, body, images) VALUES (:name, :proofs, :body, :images)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':proofs', $proofs);
$stmt->bindParam(':body', $body);
$stmt->bindParam(':images', $filename);

// Converts post data from special characters if any to HTML entries.
$name = htmlspecialchars($_POST["name"], ENT_COMPAT | ENT_HTML5, "UTF-8");
$proofs = htmlspecialchars($_POST["proofs"], ENT_COMPAT | ENT_HTML5, "UTF-8");
$body = htmlspecialchars($_POST["body"], ENT_COMPAT | ENT_HTML5, "UTF-8");
$stmt->execute();
// Converts post data from special characters if any to HTML entries.
$name = htmlspecialchars($_POST["name"], ENT_COMPAT | ENT_HTML5, "UTF-8");
$proofs = htmlspecialchars($_POST["proofs"], ENT_COMPAT | ENT_HTML5, "UTF-8");
$body = htmlspecialchars($_POST["body"], ENT_COMPAT | ENT_HTML5, "UTF-8");
$stmt->execute();

echo "Coalburner added successfully. Click <a href='javascript:history.go(-1)'>here</a> to go back.";
} catch (PDOException $e) {
echo "Error: " . $e->getMessage();
echo "Coalburner added successfully. Click <a href='javascript:history.go(-1)'>here</a> to go back.";
} catch (PDOException $e) {
echo "Error: " . $e->getMessage();
}
$conn = null;
}
$conn = null;
}

Loading…
Cancel
Save