OdenseTrack/handleUpload.php

<?php

/*
 * TinyMCE Image uploader!
 */
mb_internal_encoding("utf-8"); // Internal encoding set to UTF-8, should fix some charset issues.

session_start(); // Start PHP session, so we can handle session-data on all pages.

require_once("include.php");

// Get working dir, and file path
$cwd = getcwd();
$imageFolder = $cwd . '/' . Config::$file_path;

reset($_FILES);
$temp = current($_FILES);
if (is_uploaded_file($temp['tmp_name'])) {

    if (!User::checkLevel("75")) {
        header("HTTP/1.1 403 Permission Denied");
        return;
    }

    // Set required variables.
    $ext = explode('.', $temp['name']); // end() doesnt like us using explode directly.
    $extension = strtolower(end($ext)); // Get the extension of the file.
    $randomname = Upload::generateRandomString(); // We give our file a random name - It will be this.
    
    // Check if filename exists, and regenrate until it doesnt.
    while (IS_FILE($cwd . '/' . Config::$file_path . $randomname . '.' . $extension)) {
        $randomname = Upload::generateRandomString();
    }

    // Sanitize input
    if (preg_match("/([^\w\s\d\-_~,;:\[\]\(\).])|([\.]{2,})/", $temp['name'])) {
        header("HTTP/1.1 400 Invalid file name.");
        return;
    }

    // Verify extension
    if (!in_array(strtolower(pathinfo($temp['name'], PATHINFO_EXTENSION)), Config::$file_types)) {
        header("HTTP/1.1 400 Invalid extension.");
        return;
    }

    // Accept upload
    $filetowrite = $imageFolder . $randomname .'.'. $extension;
    move_uploaded_file($temp['tmp_name'], $filetowrite);

    // Respond to the successful upload with JSON.
    echo json_encode(array('location' => Config::$sys_url . Config::$file_path . $randomname .'.'. $extension));
} else {
    // Notify editor that the upload failed
    header("HTTP/1.1 500 Server Error");
}