- $fname = $_FILES['uploadfile']['name'];
-
- if (!preg_match("/.sql(.zip|.gz)?$/", $fname))
- display_error(_("You can only upload *.sql backup files"));
- elseif (is_uploaded_file($tmpname)) {
- rename($tmpname, BACKUP_PATH . $fname);
- display_notification( "File uploaded to backup directory");
- $Ajax->activate('cmd_backups');
+ $fname = trim(basename($_FILES['uploadfile']['name']));
+
+ if ($fname) {
+ if (!preg_match("/\.sql(\.zip|\.gz)?$/", $fname))
+ display_error(_("You can only upload *.sql backup files"));
+ elseif ($fname != clean_file_name($fname))
+ display_error(_("Filename contains forbidden chars. Please rename file and try again."));
+ elseif (is_uploaded_file($tmpname)) {
+ rename($tmpname, $SysPrefs->backup_dir() . $fname);
+ display_notification(_("File uploaded to backup directory"));
+ $Ajax->activate('backups');
+ } else
+ display_error(_("File was not uploaded into the system."));