0

以下表格在我的页面html页面上

<form action="upload_file.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />
</form>

这是php的脚本

<?php

    if ((($_FILES["file"]["type"] == "image/gif")
    || ($_FILES["file"]["type"] == "image/jpeg")
    || ($_FILES["file"]["type"] == "image/png")
    || ($_FILES["file"]["type"] == "image/jpg")
    || ($_FILES["file"]["type"] == "image/pjpeg"))
    && ($_FILES["file"]["size"] < 200000000000))
      {
      if ($_FILES["file"]["error"] > 0)
        {
        echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
        }
      else
        {
        echo "Upload: " . $_FILES["file"]["name"] . "<br />";
        echo "Type: " . $_FILES["file"]["type"] . "<br />";
        echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
        echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

        if (file_exists("pics/2012/Blackhall Primary/" . $_FILES["file"]["name"]))
          {
          echo $_FILES["file"]["name"] . " already exists. ";
          }
        else
          {
          move_uploaded_file($_FILES["file"]["tmp_name"],
          "pics/2012/Blackhall Primary/" . $_FILES["file"]["name"]);
          echo "Stored in: " . "pics/2012/Blackhall Primary/" . $_FILES["file"]["name"];
          }
        }
      }
    else
      {
      echo "Invalid file";
      }
    ?>

当我在表单上按选择时,什么也没有。它工作正常。带有表单的页面称为upload pictuture.html,脚本称为upload_file.php,它们都位于根目录中,并且pics/2012/blackhall primary 文件夹确实存在,并且pics 目录也位于根目录中。

这是有效的,但不是,任何人都可以看到我犯的任何错误。

谢谢罗斯

4

1 回答 1

1

Change your privileges and by whom script is executed (usually www-data or apache2) - this account must has write and probably read access to directory, where pictures are uploaded.

Anyway, checking file type based on $_FILES["file"]["type"] isn't safe. This can be easily falsified by hacker.

于 2012-07-05T14:53:25.123 回答