Skip to:

Re: Plugin: Avatar Upload



I found visitors were getting really hassled by the filename restrictions so I decided to relax them while still keeping some safety since you already check mime types & file extensions

instead of:

!eregi("^([-a-z0-9_]+).([a-z]+)$", $img_name)

I reduced it to only exclude the four bad characters I can think of:

eregi("#|?|&|%", $img_name)

What do you think? Safe enough?

Is your mime check from the physical file itself or just the sent headers? Hopefully the physical file or it’s not secure enough.

My change allows people to click browse and enter a url into their file browser, which forces Windows to pull down the file first, then upload it to the site. Not sure what other OS’s will do. Windows adds [1] to the filename in the temp area, so your name filter was blocking it from uploading.

My next ideas are to give lazy people a section of default avatars to choose from instead, and to allow members several stored avatars to chose from (your table should allow multiple entries per member I think, though the code to deal with it will have to be changed of course).

Skip to toolbar