PHP 上传文件验证 [英] PHP Upload File Validation

问题描述

我正在创建文件上传脚本，并且正在寻找验证上传文件的最佳技术和实践.

I am creating file upload script and I'm looking for the best techniques and practices to validate uploaded files.

允许的扩展名是:

$allowed_extensions = array('gif','jpg','png','swf','doc','docx','pdf','zip','rar','rtf','psd');

这是我正在做的事情的清单.

Here's the list of what I'm doing.

1. 检查文件扩展名

1. Checking file extension

$path_info = pathinfo($filename);
if( !in_array($path_info['extension'], $allowed_extensions) ) {
    die('File #'.$i.': Incorrent file extension.');
}

检查文件 mime 类型

Checking file mime type

$allowed_mimes = array('image/jpeg','image/png','image/gif','text/richtext','multipart/x-zip','application/x-shockwave-flash','application/msword','application/pdf','application/x-rar-compressed','image/vnd.adobe.photoshop');
if( !in_array(finfo_file($finfo, $file), $allowed_mimes) ) {
    die('File #'.$i.': Incorrent mime type.');
} 

检查文件大小.

Checking file size.

我应该怎么做才能确保上传的文件是有效文件?我注意到奇怪的事情.我将 .jpg 文件扩展名更改为 .zip 并且...它已上传.我认为它的 MIME 类型不正确，但之后我注意到我没有检查特定类型，而是检查数组中是否存在特定的 MIME 类型.我稍后会修复它，这对我来说没有问题(当然，如果您有任何好的解决方案/想法，请不要犹豫分享它).

What should I do to make sure uploaded files are valid files? I noticed strange thing. I changed .jpg file extension to .zip and... it was uploaded. I thought it will have incorrect MIME type but after that I noticed I'm not checking for a specific type but if a specific MIME type exist in array. I'll fix it later, that presents no problems for me (of course if you got any good solution/idea, do not hesitate to share it, please).

我知道如何处理图像(尝试调整大小、旋转、裁剪等)，但不知道如何验证其他扩展.

I know what to do with images (try to resize, rotate, crop, etc.), but have no idea how to validate other extensions.

现在该回答我的问题了.

Now's time for my questions.

1. 您知道验证此类文件的好方法吗?也许我应该解压缩 .zip/.rar 文件的存档，但是文档(doc、pdf)呢?
2. .psd 文件是否可以旋转、调整大小?
3. 基本上我认为 .psd 文件具有以下 mime: application/octet-stream 但是当

我尝试上传它显示给我的 .psd 文件 (image/vnd.adobe.photoshop).我对此有点困惑.文件是否总是具有相同的 MIME 类型?

I tried to upload .psd file it showed me (image/vnd.adobe.photoshop). I'm a bit confused about this. Do files always have the same MIME type?

另外，我不能强制代码块工作.有人猜到为什么吗?

Also, I cannot force code block to work. Does anyone have a guess as to why?

推荐答案

许多文件格式都有一组非常标准的起始字节来指示格式.如果您对前几个字节进行二进制读取并针对已知格式的起始字节进行测试，那么它应该是确认文件类型与扩展名匹配的一种相当可靠的方法.

Lots of file formats have a pretty standard set of starting bytes to indicate the format. If you do a binary read for the first several bytes and test them against the start bytes of known formats it should be a fairly reliable way to confirm the file type matches the extension.

例如JPEG的起始字节为0xFF、0xD8；就像这样:

For example, JPEG's start bytes are 0xFF, 0xD8; so something like:

$fp = fopen("filename.jpg", "rb");
$startbytes = fread($fp, 8);
$chunked = str_split($startbytes,1);
if ($chunked[0] == 0xFF && $chunked[1] == 0xD8){
    $exts[] = "jpg";
    $exts[] = "jpeg";
}

然后检查分机.

可以工作.

这篇关于PHP 上传文件验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！