PHP验证文件上载 [英] PHP Validating the File Upload
问题描述
我是一名PHP初学者,目前正在学习验证文件上传部分。
I'm a PHP beginner and currently learning the "Validating the File Upload" part.
我制作了一个包含以下代码的test.php页面:
I made a test.php page containing following code:
var_dump(@$_FILES['file']['type']);
首先,我上传了一张图片img.gif并返回:
First, I uploaded an image "img.gif" and it returned:
string 'image/gif' (length=9)
然后,我将图片的扩展名更改为.jpg并返回:
Then, I changed the image's extension to ".jpg" and it returned:
string 'image/jpeg' (length=10)
所以我意识到$ _FILES [file] [ type]只返回上传的文件扩展名,但实际上没有检查它是什么文件。
So I realized $_FILES["file"]["type"] only return the uploaded file extension but didn't actually check what file is it.
在此页面中, http://www.w3schools.com /php/php_file_upload.asp ,有一个代码:
In this page, http://www.w3schools.com/php/php_file_upload.asp, there is a code:
$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
我想知道为什么上面的代码检查文件扩展名两次?我从上面的代码中删除了一些,这是我的新代码:
I'm wondering why above codes check file extension twice? I deleted some from above codes and this is my new code:
$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["file"]["name"]));
if (($_FILES["file"]["size"] < 20000) && in_array($extension, $allowedExts))
我的代码是否正确?或者您有更好的方法来验证上传文件是图像吗?
Is my code correct? Or do you have any better ways to validate the upload file is a image?
谢谢!
推荐答案
您应该将文件*的tmp_name传递给 getimagesize ,它会给你图像的大小和类型(如果它是一个图像)。如果传递的参数是文件而不是图像,则返回false,这将允许您进行验证。
You should pass the tmp_name of the file* to getimagesize, it will give you the size and type of the image (if it is an image). If the passed argument is a file but not an image it returns false, that will allow you to validate.
编辑:唯一可靠的图像验证方法是制作使用GD或Imagick复制它 - getimagesize可以很容易黑客攻击。
The only reliable method of image validation is to make a copy of it using GD or Imagick - getimagesize can be easily hacked.
*:我的意思是,上传后创建的临时文件。
*: I mean, the temporal file created after upload.
例如:
if ($_SERVER['REQUEST_METHOD'] === 'POST')
{
$file = $_FILES['file']['tmp_name'];
if (file_exists($file))
{
$imagesizedata = getimagesize($file);
if ($imagesizedata === FALSE)
{
//not image
}
else
{
//image
//use $imagesizedata to get extra info
}
}
else
{
//not file
}
}
此代码使用 file_exists 只是为了一般。如果没有上传文件,您将获得 $ _ FILES ['file'] ['size'] = 0
, $ _ FILES ['file'] ['tmp_name'] =''
和 $ _ FILES ['file'] ['error'] = 4
。另请参见 is_readable 。有关错误值,请参阅
This code uses file_exists just to be general. In case no file were uploaded you would get $_FILES['file']['size'] = 0
, $_FILES['file']['tmp_name'] = ''
and $_FILES['file']['error'] = 4
. See also is_readable. For the error values see file upload errors explained at php.net.
这篇关于PHP验证文件上载的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!