FSST/Geizkragen
1
0
Fork 0
Code Issues 8 Pull Requests Actions Packages Projects Releases Wiki Activity
main
Geizkragen/upload.php

156 lines
4.4 KiB
PHP
Raw Permalink Blame History

<?php
require_once __DIR__ . '/lib/bootstrap.php';
if (empty($_SESSION['user_id']))
{
header('Location: login.php');
exit();
}
$userId = (int)$_SESSION['user_id'];
if ($_SERVER['REQUEST_METHOD'] !== 'POST')
{
header('Location: account.php');
exit();
}
if (!isset($_FILES['uploadFile']) || !is_array($_FILES['uploadFile']))
{
header('Location: account.php?upload=err');
exit();
}
$file = $_FILES['uploadFile'];
$fileError = isset($file['error']) ? (int)$file['error'] : UPLOAD_ERR_NO_FILE;
if ($fileError !== UPLOAD_ERR_OK)
{
// Serverseitiges Log ist ok, aber kein Pfad/Interna im Browser
error_log('Upload: PHP upload error=' . $fileError);
header('Location: account.php?upload=err&code=php_' . $fileError);
exit();
}
// Basic Validierung
$tmp = isset($file['tmp_name']) ? (string)$file['tmp_name'] : '';
if ($tmp === '' || !is_uploaded_file($tmp))
{
// Debug-Detail (tmp-Pfad) nicht loggen
error_log('Upload: tmp invalid');
header('Location: account.php?upload=err&code=tmp');
exit();
}
$allowedMimeToExt = [
'image/jpeg' => 'jpg',
'image/png' => 'png',
];
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mime = $finfo->file($tmp);
if (!$mime || !isset($allowedMimeToExt[$mime]))
{
// Mime loggen ist ok (kein Secret), hilft bei Support
error_log('Upload: invalid mime=' . (string)$mime);
header('Location: account.php?upload=err&code=mime');
exit();
}
$ext = $allowedMimeToExt[$mime];
// Zielordner: assets/images/profilePictures relativ zum Projekt (upload.php liegt im Webroot)
$relativeTargetDir = 'assets/images/profilePictures';
// Kandidat 1: relativ zu __DIR__ (robust gegen VHost/Alias)
$dirTargetDir = rtrim(__DIR__, "\\/") . DIRECTORY_SEPARATOR . str_replace('/', DIRECTORY_SEPARATOR, $relativeTargetDir);
// Kandidat 2: relativ zu DOCUMENT_ROOT (nur wenn gesetzt)
$documentRoot = isset($_SERVER['DOCUMENT_ROOT']) ? (string)$_SERVER['DOCUMENT_ROOT'] : '';
$docRootTrim = rtrim($documentRoot, "\\/");
$docTargetDir = ($docRootTrim !== '')
? $docRootTrim . DIRECTORY_SEPARATOR . str_replace('/', DIRECTORY_SEPARATOR, $relativeTargetDir)
: '';
// Bevorzugt __DIR__. Falls __DIR__ aus irgendeinem Grund nicht ins Projekt zeigt, und DOCUMENT_ROOT plausibel ist, nutze DOCUMENT_ROOT.
$targetDir = $dirTargetDir;
if ($docTargetDir !== '' && !is_dir($dirTargetDir) && is_dir($docTargetDir))
{
$targetDir = $docTargetDir;
}
if (!is_dir($targetDir))
{
$mkOk = @mkdir($targetDir, 0755, true);
if (!$mkOk)
{
$lastErr = error_get_last();
$lastErrMsg = (is_array($lastErr) && isset($lastErr['message'])) ? (string)$lastErr['message'] : 'unknown';
error_log('Upload: mkdir failed for ' . $targetDir . ' - ' . $lastErrMsg);
header('Location: account.php?upload=err&code=mkdir');
exit();
}
}
if (!is_writable($targetDir))
{
error_log('Upload: targetDir not writable: ' . $targetDir);
header('Location: account.php?upload=err&code=perm');
exit();
}
// Dateiname: user_<ID>_<Datum>.<ext>
// Format ist dateisystem-sicher (keine Doppelpunkte) und eindeutig genug.
$timestamp = gmdate('Ymd-His');
$filename = 'user_' . $userId . '_' . $timestamp . '.' . $ext;
$targetPath = rtrim($targetDir, "\\/") . DIRECTORY_SEPARATOR . $filename;
if (!move_uploaded_file($tmp, $targetPath))
{
$lastErr = error_get_last();
$lastErrMsg = (is_array($lastErr) && isset($lastErr['message'])) ? (string)$lastErr['message'] : 'unknown';
error_log('Upload: move_uploaded_file failed to ' . $targetPath . ' - ' . $lastErrMsg);
header('Location: account.php?upload=err&code=move');
exit();
}
// Pfad, der in HTML genutzt wird (URL relativ zur Webroot)
$publicPath = 'assets/images/profilePictures/' . $filename;
$servername = "localhost";
$port = 3306;
$username = "FSST";
$password = "L9wUNZZ9Qkbt";
$db = "FSST";
$conn = mysqli_connect($servername, $username, $password, $db, $port);
if (!$conn)
{
header('Location: account.php?upload=err');
exit();
}
$stmt = mysqli_prepare($conn, "UPDATE users SET profilePicture = ? WHERE userID = ?");
if (!$stmt)
{
mysqli_close($conn);
header('Location: account.php?upload=err');
exit();
}
mysqli_stmt_bind_param($stmt, 'si', $publicPath, $userId);
$ok = mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
mysqli_close($conn);
if (!$ok)
{
header('Location: account.php?upload=err');
exit();
}
header('Location: account.php?upload=ok');
exit();
Reference in New Issue View Git Blame Copy Permalink