$unique_name = uniqid('');
move_uploaded_file($tmpname, $dir."/".$unique_name);
//save the file
- $filename = $_FILES['filename']['name'];
+ $filename = basename($_FILES['filename']['name']);
$filesize = $_FILES['filename']['size'];
$filetype = $_FILES['filename']['type'];
}
{
mkdir($filename);
}
- $filename .= "/".$_FILES['pic']['name'];
+ $filename .= "/".clean_file_name($_FILES['pic']['name']);
//But check for the worst
- if (!in_array((substr(trim($_FILES['pic']['name']),-3)),
- array('jpg','JPG','png','PNG')))
+ if (!in_array( substr($filename,-3), array('jpg','JPG','png','PNG')))
{
display_error(_('Only jpg and png files are supported - a file extension of .jpg or .png is expected'));
$input_error = 1;
if ($input_error != 1)
{
$result = move_uploaded_file($_FILES['pic']['tmp_name'], $filename);
- $_POST['coy_logo'] = $_FILES['pic']['name'];
+ $_POST['coy_logo'] = clean_file_name($_FILES['pic']['name']);
if(!$result)
display_error(_('Error uploading logo file'));
}
}
if (check_value('del_coy_logo'))
{
- $filename = company_path()."/images/".$_POST['coy_logo'];
+ $filename = company_path()."/images/".clean_file_name($_POST['coy_logo']);
if (file_exists($filename))
{
$result = unlink($filename);
display_error( _("Query size must be integer and greater than zero."));
set_focus('query_size');
} else {
+ $_POST['theme'] = clean_file_name($_POST['theme']);
$chg_theme = user_theme() != $_POST['theme'];
$chg_lang = $_SESSION['language']->code != $_POST['language'];
projects / fa-stable.git / commitdiff