Hey, made this mod for my game, so as usual i'll post here, Works fine for me... this mod will add an image upload for profile pics on your game, to stop several exploits, This improves security (hopefully) :P.
Follow th below instructions and it should go fine.
Update ASAP, Mass security updates have been added.
Updates:
-Code stripped from files uploaded.
-Will stop bad file extensions, such as shells.
-2nd Security update.
-Only one image can be on the web server per user.
-Images cannot be used more then twice to save space.
-Crons / Extra SQL is no longer needed.
-Security update.
-Variables Fixed.
Before you do the below on your FTP under public_html create a new directory called "profilepics" with the CHMOD permissions set to 757.
Create uploadpic.php with the code:
<?php
/*-----------------------------------------------------
-- Isomerizer
-- Copyright held 2007-2008 © Isomerizer.com
-- uploadpic.php
-----------------------------------------------------*/
require("globals.php");
if(empty($_FILES['imagefile']))
{
echo '
Upload an Profile Image:
[i]Path of Image:[/i]
(Max 10000 file bytes , Must be file extention gif, jpg, jpeg, png, bmp....)
(Images are resized to 150 x 150)
';
}
else
{
//Edit below for max fb size of the pic
$maxsize = 1000000;
/*Basic security procedures*/
if(!$_SERVER['REQUEST_METHOD'] == "POST" || !isset($_SERVER['HTTP_USER_AGENT'])){
echo 'Hack Attempt!';
$h->endpage(); exit;
}
$headerinject = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");
foreach($_POST as $k => $v){
foreach($headerinject as $v2){
if(strpos($v, $v2) !== false){
logBadRequest(); header("HTTP/1.0 403 Forbidden"); exit; }
} }
/*What extensions can be used?*/
$valid = array('image/gif', 'image/png', 'image/pjpeg','image/jpeg', 'image/jpg');
/*If the extension isnt allowed...*/
if(!in_array($_FILES['imagefile']['type'], $valid))
{
$type = strrchr($_FILES['imagefile']['name'], '.');
echo 'This file type '.$type.' is not allowed.
[url="'.$_SERVER['PHP_SELF'].'"]Back[/url]';
$h->endpage();
exit;
}
/*Check image size*/
if ($_FILES['imagefile']['size'] > $maxsize) {
echo 'Image to large
[url="'.$_SERVER['PHP_SELF'].'"]Back[/url]'; $h->endpage(); exit;
}
$check = ''.$_FILES['imagefile']['tmp_name'].'';
/*Check for .exe files*/
if (is_executable($check) || !is_file($check)) {
echo 'The file '.$_FILES['imagefile']['name'].' seems to be harmful to the server
[url="'.$_SERVER['PHP_SELF'].'"]Back[/url]';
@unlink($check);
$h->endpage();
exit;
}
/*Now to create the correct image using php*/
if ($_FILES['imagefile']['type']=="image/jpeg")
{
$create = @ImageCreateFromJPEG(''.$_FILES['imagefile']['tmp_name'].'');
$image = @Imagejpeg($create, 'profilepics/'.$_FILES['imagefile']['name'].'');
}
if ($_FILES['imagefile']['type']=="image/png")
{
$create = @ImageCreateFromPNG(''.$_FILES['imagefile']['tmp_name'].'');
$image = @Imagepng($create, 'profilepics/'.$_FILES['imagefile']['name'].'');
}
if ($_FILES['imagefile']['type']=="image/jpg")
{
$create = @ImageCreateFromJPEG(''.$_FILES['imagefile']['tmp_name'].'');
$image = @Imagejpeg($create, 'profilepics/'.$_FILES['imagefile']['name'].'');
}
if ($_FILES['imagefile']['type']=="image/gif")
{
$create = @ImageCreateFromGIF(''.$_FILES['imagefile']['tmp_name'].'');
$image = @Imagegif($create, 'profilepics/'.$_FILES['imagefile']['name'].'');
}
if ($_FILES['imagefile']['type']=="image/pjpeg")
{
$create = @ImageCreateFromJPEG(''.$_FILES['imagefile']['tmp_name'].'');
$image = @Imagejpeg($create, 'profilepics/'.$_FILES['imagefile']['name'].'');
}
/*Destroy the php image*/
@unlink(''.$_FILES['imagefile']['tmp_name'].'');
@ImageDestroy($create);
/*If php could not create the image*/
if (!$create) {
echo 'The image you are trying to upload seems to be corrupt please try again!
[url="'.$_SERVER['PHP_SELF'].'"]Back[/url]';
$h->endpage();
exit;
}
$path = 'profilepics/';
$pic = $_FILES['imagefile']['name'];
$picture = $path.$pic;
$oldpic = $ir['display_pic'];
/*Check to see if its already uploaded*/
if ($picture == $oldpic) {
echo '
Image already uploaded![url="'.$_SERVER['PHP_SELF'].'"]Back[/url]';
$h->endpage(); exit;
}
/*Delete previous image to save space*/
$delete = @unlink($oldpic);
if ($delete) { echo 'Previous image deleted from system...
'; }
if (!$delete) { echo 'No Previous image to be deleted...
'; }
$dataa = $_FILES['imagefile']['size'];
$datab = $_FILES['imagefile']['type'];
$datad = $_FILES['imagefile']['name'];
/*Information for user*/
echo 'Old Image Location: '.$oldpic.'
New Image Location: '.$picture.'
Image Uploaded
Info:
Image Name: '.$datad.'
Image Size: '.$dataa.' bytes
Type: '.$datab.'
[url="'.$_SERVER['PHP_SELF'].'"]Back[/url]';
/*Check DB*/
$check = mysql_query(
sprintf("SELECT COUNT(*) as cnt FROM `users` WHERE `display_pic` = '%s'",
mysql_real_escape_string($picture)));
$checks = mysql_fetch_array($check);
if ($checks['cnt'] > 0) {
echo 'Please use another image name
[url="'.$_SERVER['PHP_SELF'].'"]Back[/url]';
$h->endpage(); exit;
}
/*Update DB*/
mysql_query(
sprintf("UPDATE `users` SET `display_pic` = '%s' WHERE `userid` = %u",
mysql_real_escape_string($picture),
$userid));
}
$h->endpage();
exit;
?>
Open preferences.php and change
[url='preferences.php?action=picchange']Display Pic Change[/url]
To...
[url='uploadpic.php']Display Pic Change[/url]
Delete from preferences.php
function pic_change()
{
global $ir,$c,$userid,$h;
print "Pic Change
Please note that this must be externally hosted, [url='http://imageshack.us']ImageShack[/url] is our recommendation.
Any images that are not 150x150 will be automatically resized
New Pic:
";
}
function do_pic_change()
{
global $ir,$c,$userid,$h;
if($_POST['newpic'] == "")
{
print "You did not enter a new pic.
[url='preferences.php?action=picchange']> Back[/url]";
}
else
{
$_POST['newpic']=str_replace('\\\'',''', $_POST['newpic']);
mysql_query("UPDATE users SET display_pic='{$_POST['newpic']}' WHERE userid=$userid",$c);
print "Pic changed!";
}
For extra security, "profilepics" directory can be stopped from executing any script.
Create sseccath. <- (spelt backwards, as CE wont allow the word) with:
# AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
and place in "profilepics".
Can be seen working @ www.amazon-survival.com
