Better way of uploading pictures using tinymce

handleUpload.php

@@ -0,0 +1,70 @@
+<?php
+
+/*
+ * TinyMCE Image uploader!
+ */
+mb_internal_encoding("utf-8"); // Internal encoding set to UTF-8, should fix some charset issues.
+
+session_start(); // Start PHP session, so we can handle session-data on all pages.
+
+require_once("include.php");
+
+/* * *************************************************
+ * Only these origins are allowed to upload images *
+ * ************************************************* */
+$accepted_origins = array("http://localhost", "https://localhost", "https://127.0.0.1", "http://127.0.0.1");
+
+/* * *******************************************
+ * Change this line to set the upload folder *
+ * ******************************************* */
+$cwd = getcwd();
+$imageFolder = $cwd .'/'. Config::$file_path;
+
+reset($_FILES);
+$temp = current($_FILES);
+if (is_uploaded_file($temp['tmp_name'])) {
+    /* if (isset($_SERVER['HTTP_ORIGIN'])) {
+      // same-origin requests won't set an origin. If the origin is set, it must be valid.
+      if (in_array($_SERVER['HTTP_ORIGIN'], $accepted_origins)) {
+      header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
+      } else {
+      header("HTTP/1.1 403 Origin Denied");
+      return;
+      }
+      } */
+
+    if (!User::checkLevel("75")) {
+        header("HTTP/1.1 403 Origin Denied");
+        return;
+    }
+
+    /*
+      If your script needs to receive cookies, set images_upload_credentials : true in
+      the configuration and enable the following two headers.
+     */
+    // header('Access-Control-Allow-Credentials: true');
+    // header('P3P: CP="There is no P3P policy."');
+    // Sanitize input
+    if (preg_match("/([^\w\s\d\-_~,;:\[\]\(\).])|([\.]{2,})/", $temp['name'])) {
+        header("HTTP/1.1 400 Invalid file name.");
+        return;
+    }
+
+    // Verify extension
+    if (!in_array(strtolower(pathinfo($temp['name'], PATHINFO_EXTENSION)), array("gif", "jpg", "png"))) {
+        header("HTTP/1.1 400 Invalid extension.");
+        return;
+    }
+
+    // Accept upload if there was no origin, or if it is an accepted origin
+    $filetowrite = $imageFolder . $temp['name'];
+    move_uploaded_file($temp['tmp_name'], $filetowrite);
+
+    // Respond to the successful upload with JSON.
+    // Use a location key to specify the path to the saved image resource.
+    // { location : '/your/uploaded/image/file'}
+    echo json_encode(array('location' => Config::$sys_url.Config::$file_path.$temp['name']));
+} else {
+    // Notify editor that the upload failed
+    header("HTTP/1.1 500 Server Error");
+}

js/tiny.php

@@ -20,7 +20,7 @@ if (isset($_SESSION['user'])) {
         plugins: 'image',
         toolbar: "undo redo | styleselect | bold italic | image | alignleft aligncenter alignright alignjustify | bullist numlist outdent indent",
         menubar: false,
-        
+        images_upload_url: 'handleUpload.php',
         height: '400px'
         });