Miva - File Upload as Text Attribute
<?php
// NOTE: Please use the `upload.php` file.
// This `upload_simple_insecure.php` script is just here as a simple example.
$ds = DIRECTORY_SEPARATOR;
$result = array(
'status' => 'null',
'path' => ''
);
$storeFolder = '../uploads';
if( $_POST['Basket_ID'] ){
$storeFolder .= $ds.$_POST['Basket_ID'];
if( !is_dir($storeFolder) ){
mkdir($storeFolder);
}
}
if (!empty($_FILES)) {
$tempFile = $_FILES['file']['tmp_name'];
$targetPath = dirname( __FILE__ ).$ds.$storeFolder.$ds;
$targetFile = $targetPath.$_FILES['file']['name'];
$result['path'] = $storeFolder.$ds.$_FILES['file']['name'];
if( move_uploaded_file($tempFile, $targetFile) ){
$result['status'] = 'success';
}
else {
$result['status'] = 'error';
}
}
echo json_encode($result);
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['file']['error']) ||
is_array($_FILES['file']['error'])
) {
var_dump($_FILES['file']['error']);
throw new RuntimeException('Error: Invalid parameters.');
}
if( !is_numeric($_POST['Customer_ID']) ){
throw new RuntimeException('Error: Invalid customer id.');
}
// Check $_FILES['file']['error'] value.
switch ($_FILES['file']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('Error: No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Error: Exceeded filesize limit.');
default:
throw new RuntimeException('Error: Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['file']['size'] > 1000000) {
throw new RuntimeException('Error: Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['file']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['file']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'jpeg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
),
true
)) {
throw new RuntimeException('Error: Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['file']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
$path = sprintf('../uploads/%s/%s.%s', $_POST['Customer_ID'], sha1_file($_FILES['file']['tmp_name']), $ext);
if (move_uploaded_file($_FILES['file']['tmp_name'], $path) ) {
echo $path;
} else {
throw new RuntimeException('Error: Failed to move uploaded file.');
}
} catch (RuntimeException $e) {
echo $e->getMessage();
}
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['file']['error']) ||
is_array($_FILES['file']['error'])
) {
var_dump($_FILES['file']['error']);
throw new RuntimeException('Error: Invalid parameters.');
}
if( !is_numeric($_POST['Customer_ID']) ){
throw new RuntimeException('Error: Invalid customer id.');
}
// Check $_FILES['file']['error'] value.
switch ($_FILES['file']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('Error: No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Error: Exceeded filesize limit.');
default:
throw new RuntimeException('Error: Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['file']['size'] > 1000000) {
throw new RuntimeException('Error: Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['file']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['file']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'jpeg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
),
true
)) {
throw new RuntimeException('Error: Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['file']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
$path = sprintf('../uploads/%s/%s.%s', $_POST['Customer_ID'], sha1_file($_FILES['file']['tmp_name']), $ext);
if (move_uploaded_file($_FILES['file']['tmp_name'], $path) ) {
echo $path;
} else {
throw new RuntimeException('Error: Failed to move uploaded file.');
}
} catch (RuntimeException $e) {
echo $e->getMessage();
}
(function mvdropzone(){
if( !$('.dropzone').length ){
return;
}
$.getScript('//cdnjs.cloudflare.com/ajax/libs/dropzone/4.0.1/min/dropzone.min.js', function(){
$('head').append('<link href="//cdnjs.cloudflare.com/ajax/libs/dropzone/4.0.1/min/dropzone.min.css" rel="stylesheet">');
Dropzone.autoDiscover = false;
// $('.dropzone').css('display', 'block');
$('.dropzone').each(function(){
var $dropzone = $(this),
$attributeInput = $dropzone.next(),
dropZoneId = '#' + $dropzone.attr('id');
$attributeInput.hide();
$dropzone.parent().prev('.prompt').hide();
this.myDropZone = new Dropzone(
dropZoneId, {
url: '/php/upload.php'
}
);
this.myDropZone.on('sending', function(file, xhr, formData) {
formData.append('Basket_ID', $dropzone.data('basket-id') );
});
this.myDropZone.on('complete', function(file, a, b) {
var response = $.parseJSON(file.xhr.response);
if( response.status === 'success' ){
var filePaths = ($attributeInput.val().length) ? $attributeInput.val().split(',') : [],
path = window.location.origin + response.path.replace(/\.\./, '');
filePaths.push(path);
$attributeInput.val( filePaths.join(',') );
} else {
alert('Error uploading file.');
}
});
});
});
})();
...
<td class="field">
<mvt:if expr="l.settings:attribute:type EQ 'text'">
<mvt:if expr="'upload_' IN l.settings:attribute:code EQ 1">
<div class="dropzone" id="dropzone-&mvt:product:id;-&mvt:attribute:id;" data-basket-id="&mvt:global:basket:basket_id;"></div>
</mvt:if>
<input type="text" name="Product_Attributes[&mvt:attribute:index;]:value" value="&mvte:attribute:value;" class="textfield" />
<mvt:elseif expr="l.settings:attribute:type EQ 'memo'">
...