From eccd944e3181e94ca3d8f688a76cdd9030085bd8 Mon Sep 17 00:00:00 2001
From: Andrew Tomaka <atomaka@gmail.com>
Date: Wed, 2 Nov 2011 16:33:57 -0400
Subject: [PATCH] Check a bit of data before saving the file.

---
 upload.php | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/upload.php b/upload.php
index df52917..2909f0b 100644
--- a/upload.php
+++ b/upload.php
@@ -10,12 +10,36 @@
  **/
 
 define('UPLOADS','uploads/');
+$extensions = array('jpg','jpeg','png','gif','bmp');
+
+if($_SERVER['REQUEST_METHOD'] != 'POST') {
+	error('request method error');
+}
 
 if(array_key_exists('image', $_FILES)) {
 	$file = $_FILES['image'];
 
-	move_uploaded_file($file['tmp_name'], UPLOADS . $file['name']);
-}
+	$extension = explode('.',$file['name']);
+	$extension = array_pop($extension);
+	$extension = strtolower($extension);
 
-echo json_encode(array('status'=>'Uploaded successfully','file'=>'http://screens.p5dev.com/' . UPLOADS . $file['name']));
+	//if(!in_array(strtolower(array_pop(explode('.',$file['name'])),$extensions))) {
+	if(!in_array($extension,$extensions)) {
+		error('file extension error.');
+	}
+
+
+
+	if(move_uploaded_file($file['tmp_name'], UPLOADS . $file['name'])) {
+		echo json_encode(array('type'=>'success','status'=>'Uploaded successfully','file'=>'http://screens.p5dev.com/' . UPLOADS . $file['name']));
+		exit;
+	}
+}
+error('unknown error');
+
+
+function error($message) {
+	echo json_encode(array('type'=>'error','status'=>$message));
+	exit;
+}
 ?>
\ No newline at end of file