PHP:如何正确检查文件的MIME类型? [英] PHP: How to properly check MIME type of a file?

查看:318
本文介绍了PHP:如何正确检查文件的MIME类型?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个输入,您可以在其中上传图像,唯一允许的图像类型是:

I have an input where you can upload images, the only allowed images types are: 

png, jpg, jpeg

在将图像插入数据库之前,它会检查图片是否为png,jpg,jpeg.但是现在出于安全原因,我需要在第一次检查之前或之后检查mime类型.

before the image is inserted to the database it checks if the pictures are png,jpg,jpeg. But now for security reasons I need to check the mime type before or after the first check.

我该怎么做?这是我的代码:

How do I do this? This is my code:

<?php

$iAmountOfFiles = count($_FILES['Filename']['name']);

while($iAmountOfFiles >= 1) {

    $iAmountOfFiles--;

    $aFileProperties = pathinfo($_FILES['Filename']['name'][$iAmountOfFiles]);
    if(!in_array(strtolower($aFileProperties["extension"]), $aExtensionWhitelist)) {
        echo "Bestands type niet toegestaan";
        // exit;
        continue;
    }

    $sTarget = ROOT.BACKEND."/pages/bezienswaardigheden-toevoegen/uploads/";
    $sUniqueFileNameHash = hash('adler32', time().rand());
    $Filename = basename($sUniqueFileNameHash."-".$_FILES['Filename']['name'][$iAmountOfFiles]);
    $Filename = basename($aFileProperties["filename"]."-".$sUniqueFileNameHash.".".strtolower($aFileProperties["extension"]));

    // Writes the Filename to the server
    if(move_uploaded_file($_FILES['Filename']['tmp_name'][$iAmountOfFiles], $sTarget.$Filename)) {

    // here needs to come the mime check

推荐答案

要获取MIME类型,开发人员通常依赖于$_FILE['input_name']['type'].但这绝对是脆弱的.因为恶意用户可以设置image/jpgimage/pngimage/gif等之一,所以MIME类型设置为实际上不是图像的文件.在这种情况下,恶意用户可能会获取您的脚本通行证,以上传其他文件(而不是图像)并出于您的目的执行您的脚本,这很危险.

To get MIME type, developers generally depend on $_FILE['input_name']['type']. But this is absolutely vulnerable. Because a malicious user can set one of image/jpg, image/png, image/gif etc. MIME types to a file that is not actually an image. In that case, the malicious user may get your script pass to upload other file instead of an image and execute your script for their purposes which is dangerous.

因此,我建议您不要依赖以下代码段获取文件的MIME

So I recommend that you do not depend on the following snippet to get MIME of a file 

$_FILE['input_name']['type'];

相反,我建议使用此mime_content_type()函数来获取MIME类型,但要借助其他PHP的内置函数.那就是is_uploaded_file()函数.它的作用是:

Rather I would recommend use this mime_content_type() function to get MIME type but with the help of other PHP's built-in function. And that is is_uploaded_file() function. What it does is:

这有助于确保恶意用户没有试图 欺骗脚本以处理不应在其上的文件 正常工作-例如/etc/passwd.

This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd.

如果有可能,这种检查尤为重要 对上传的文件所做的任何操作都可能会将其内容透露给 用户,甚至是同一系统上的其他用户.

This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system.

因此,要使此功能正常工作,它需要一个特定的参数.查看下面的代码:

So to make this function work properly it needs a specific argument. Check out the code below:

if (is_uploaded_file($_FILE['input_name']['tmp_name'])) {
    // do other stuff
}

此函数成功返回true,否则返回false.因此,如果它返回true,那么您可以使用该文件.得益于此功能.现在,mime_content_type()函数开始起作用.如何?查看下面的代码:

This function returns true on success, false otherwise. So if it returns true then you're ok with the file. Thanks to this function. Now mime_content_type() function comes into play. How? Look at the code below: 

if (is_uploaded_file($_FILE['input_name']['tmp_name'])) {
    // Notice how to grab MIME type
    $mime_type = mime_content_type($_FILE['input_name']['tmp_name']);

    // If you want to allow certain files
    $allowed_file_types = ['image/png', 'image/jpeg', 'application/pdf'];
    if (! in_array($mime_type, $allowed_file_types)) {
        // File type is NOT allowed
    }

    // Set up destination of the file
    $destination = '/path/to/move/your/file/';

    // Now you move/upload your file
    if (move_uploaded_file ($_FILE['input_name']['tmp_name'] , $destination)) {
        // File moved to the destination
    }
}

BTW,对于新手,请勿尝试使用带有此功能的远程URL获取MIME类型.以下代码不起作用:

BTW, for novice, do not try remote url with this function to get MIME type. The code below will not work: 

mime_content_type('http://www.example.com/uploads/example.png');

但是下面的一个可以工作:

But the one below would work:

mime_content_type('/source/to/your/file/etc.png');

希望您从现在开始喜欢上传文件.

Hope you would enjoy uploading file from now on.

这篇关于PHP:如何正确检查文件的MIME类型?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆