// Should never be true - Guids ought to be unique $newFilename = SMRandom::CreateGuid() . $extension; } // Move file if (move_uploaded_file($_FILES["SelectedFile"]["tmp_name"], $dir . "/" . $newFilename) === false) { header("HTTP/1.1 500 Internal Server Error"); echo "Error moving temporary file"; exit; } echo $dir . "/" . $newFilename; // Write new filename back to client on success } else { if ($command === "Remove") { $paths = null; $file = SMEnvironment::GetPostValue("File"); $files = SMEnvironment::GetPostValue("Files"); if ($file !== null) { $paths = array($file); } else { if ($files !== null) { $paths = explode(";", $files); } } if ($paths === null) { header("HTTP/1.1 500 Internal Server Error"); echo "Error - unable to remove files - no path(s) given"; exit; } foreach ($paths as $path) { // Make sure $path is a safe path (e.g. does not contain ../../), and make sure the file referenced is found in $imagesFolder if (SMStringUtilities::Validate($path, SMValueRestriction::$SafePath) === false || strpos($path, $imagesFolder) !== 0) {