steveosoule
7/17/2017 - 4:45 PM

Wholesale Customer Upload Form

Wholesale Customer Upload Form

<?php

header('Content-Type: text/plain; charset=utf-8');

try {

	// Undefined | Multiple Files | $_FILES Corruption Attack
	// If this request falls under any of them, treat it invalid.
	if (
		!isset($_FILES['file']['error']) ||
		is_array($_FILES['file']['error'])
	) {
		var_dump($_FILES['file']['error']);
		throw new RuntimeException('Error: Invalid parameters.');
	}

	if( !is_numeric($_POST['Customer_ID']) ){
		throw new RuntimeException('Error: Invalid customer id.');
	}

	// Check $_FILES['file']['error'] value.
	switch ($_FILES['file']['error']) {
		case UPLOAD_ERR_OK:
			break;
		case UPLOAD_ERR_NO_FILE:
			throw new RuntimeException('Error: No file sent.');
		case UPLOAD_ERR_INI_SIZE:
		case UPLOAD_ERR_FORM_SIZE:
			throw new RuntimeException('Error: Exceeded filesize limit.');
		default:
			throw new RuntimeException('Error: Unknown errors.');
	}

	// You should also check filesize here.
	if ($_FILES['file']['size'] > 1000000) {
		throw new RuntimeException('Error: Exceeded filesize limit.');
	}

	// DO NOT TRUST $_FILES['file']['mime'] VALUE !!
	// Check MIME Type by yourself.
	$finfo = new finfo(FILEINFO_MIME_TYPE);
	if (false === $ext = array_search(
		$finfo->file($_FILES['file']['tmp_name']),
		array(
			'jpg' => 'image/jpeg',
			'jpeg' => 'image/jpeg',
			'png' => 'image/png',
			'gif' => 'image/gif',
			'pdf' => 'application/pdf'
		),
		true
	)) {
		throw new RuntimeException('Error: Invalid file format.');
	}

	$customer_id = (int) trim($_POST['Customer_ID']);
	if( !$customer_id > 0 ){
		throw new RuntimeException('Error: Invalid customer id.');
	}

	$document_index = (int) trim($_POST['Document_Index']);
	if( !$document_index > 0 ){
		throw new RuntimeException('Error: Invalid Document_Index');
	}


	$upload_dir = sprintf('../uploads/%d', $customer_id);

	if( !is_dir($upload_dir) ){
		mkdir($upload_dir);
	}
	// array_map('unlink', glob("$upload_dir/*"));

	// You should name it uniquely.
	// DO NOT USE $_FILES['file']['name'] WITHOUT ANY VALIDATION !!
	// On this example, obtain safe unique name from its binary data.
	$state = (isset($_POST['Customer_State'])) ? $_POST['Customer_State'] : 'null';
	$company = (isset($_POST['Customer_Company'])) ? $_POST['Customer_Company'] : 'null';
	$pattern = '/[^a-zA-Z0-9-_]/';
	$state = preg_replace($pattern, '', $state);
	$company = preg_replace($pattern, '', $company);
	$date = date('Y-m-d');

	if( $document_index === 1 ){
		$document = 'State';
	}
	else if( $document_index === 2 ){
		$document = 'Federal';
	} else {
		$document = 'null';
	}

	$document = 'Document-'.$document_index;

	if( $document_index > 0 )
	{
		$path = sprintf('%s/%s_%s_%s_%s.%s', $upload_dir, $date, $state, $company, $document, $ext);
	}
	elseif( FALSE && $validDocumentIndex)
	{
		$path = sprintf('%s/document-%s.%s', $upload_dir, $_POST['Document_Index'], $ext);
	}
	else
	{
		$path = sprintf('%s/%s.%s', $upload_dir, sha1_file($_FILES['file']['tmp_name']), $ext);
	}

	if (move_uploaded_file($_FILES['file']['tmp_name'], $path) )
	{
		echo $path;
	}
	else
	{
		throw new RuntimeException('Error: Failed to move uploaded file.');
	}
} catch (RuntimeException $e) {
	echo $e->getMessage();
}