@darch@twtxt.net I just sent you a merge request that fixes the typos I spotted.
Now to one very severe security flaw, the filesystem traversal attack. You must never ever trust user input. Never. Ever. Not in a hundred years. Or the devil himself will kidnap your kids, your wive and yourself to steal their souls, rape and then painfully kill all of them.
Back to the user input. This also goes for the filename of the submitted file upload. You either have to sanitize it or even better, just generate a new one, you know is safe. Currently you just use the user’s filename, replace spaces with hyphens, convert it to lowercase and prepend the date. So basically, doing nothing in terms of sanitizing. But if the filename contains slashes, you’re basically fucked. Imagine a user-supplied filename of ../../../../../etc/passwd or something similar. It will then override system data or any of your scripts or whatever, if the user running the PHP script has sufficient permissions. Which it often has to at least override your own PHP scripts. So you should at least extract the submitted filename’s basename at the very bare minimum. That would result in passwd on the example above. Maybe there are even more PHP-specific things to keep in mind, I don’t know.
Okay, granted you check for the existence of the final file and abort, but it still would be possible to sneak files into places, where they truely do not belong. Like optional configuration files an application would read if present but ignore if missing.
Also checking the file extension to determine whether a file is of a certain type doesn’t really work. You can just lie about the extension.
I’m heading to bed now. Happy fixing my friend! :-)