I'm a very beginner. I developped this today and it's working but I would like to make sure ALL of my checkFile($file) method's conditions are fully used. It's probably a bit ugly but for now I mostly need to know if it's secure and if the MIME test is correctly working and used by the script.
CONTEXT : It's an update form fully made in PHP (I've not learn ajax yet). Products have pictures and my purpose was to make this input optionnal as it doesn't work like text inputs. Here is my code. The checkFile() method first :
public static function checkFile(array $file)
{
## On stocke les données de $_FILES dans des variables
$tmpName = $file['tmp_name'];
$filename = $file['name'];
$type = $file['type'];
$size = $file['size'];
$error = $file['error'];
## On isole l'extension de "file".
$extensionArray = explode('.', $filename);
$extension = strtolower(end($extensionArray));
if (strlen($tmpName) == 0) {
return true;
}
if (strlen($tmpName) != 0) {
## les différentes caractéristiques à tester
$extensions = ['jpg', 'png', 'jpeg'];
$maxSize = 500000;
$mimes = [
'png' => 'image/png',
'jpeg' => 'image/jpeg',
'jpg' => 'image/jpeg',
'gif' => 'image/gif',
'bmp' => 'image/bmp',
'ico' => 'image/vnd.microsoft.icon',
'tiff' => 'image/tiff',
'tif' => 'image/tiff',
'svg' => 'image/svg+xml',
'svgz' => 'image/svg+xml',
];
// var_dump(in_array($type, $mimes));
// var_dump(in_array($extension, $extensions));
if (in_array($extension, $extensions) == true && $size <= $maxSize && $error == 0 && in_array($type, $mimes) == true) {
return true;
} else {
return false;
}
}
}
And my editProduct() method.
static function editProduct(int $id)
{
$product = new ProductsModel;
$currentProduct = $product->find($id);
if (Form::validate($_POST, ['name', 'description', 'size', 'price', 'img_alt']) && Form::checkFile($_FILES['img']) == true) {
$tmpName = $_FILES['img']['tmp_name'];
if (strlen($tmpName) != 0) {
$img = strip_tags($_FILES['img']['name']);
} else {
$img = $currentProduct->img;
}
$name = strip_tags($_POST['name']);
$description = strip_tags($_POST['description']);
$size = strip_tags($_POST['size']);
$price = strip_tags($_POST['price']);
$img_alt = strip_tags($_POST['img_alt']);
$productEdit = new ProductsModel;
$productEdit->setId($currentProduct->id)
->setName($name)
->setDescription($description)
->setSize($size)
->setImg($img)
->setImgAlt($img_alt)
->setPrice($price);
$productEdit->update();
move_uploaded_file($tmpName, '../public/uploads/'. $img);
$_SESSION['success'] = 'Le produit a été modifié avec succès.';
header('Location: link');
exit;
} else {
$_SESSION['error'] = 'Les informations rentrées sont incorrectes';
}
var_dump($currentProduct->img);
var_dump($_FILES);
$form = new Form;
$form->startForm('post', '#', ['enctype' => 'multipart/form-data'])
->addLabel('name', 'Nom')
->addInput('text', 'name', ['value' => $currentProduct->name])
->addLabel('description', 'Description')
->addInput('text', 'description', ['value' => $currentProduct->description])
->addLabel('size', 'Poids')
->addInput('text', 'size', ['value' => $currentProduct->size])
->addLabel('img', 'Image')
->addInput('file', 'img', ['value' => $currentProduct->img])
->addLabel('alt_img', 'Texte alternatif de l\'image')
->addInput('text', 'img_alt', ['value' => $currentProduct->img_alt])
->addLabel('price', 'Prix')
->addInput('text', 'price', ['value' => $currentProduct->price])
->addButton('Modifier')
->endForm();
return $form->create();
}
Also, about the MIME, should I use mime_content_type() or is my in_array($mimes, $extension) ok ?
