0

我有一个 switch 语句,它确定上传的图像的文件类型以在我的应用程序中用作头像,但是它似乎有点错误,因为它允许成功注册,无论是否存在允许的文件类型,并且没有错误消息被返回。不允许提交的文件类型。

$submit = $_POST['submit'];

if ($submit == 'Sign up!') {
    require_once("db_connect.php");
    $submit = clean_string($_POST['submit']);
    $first_name = clean_string($_POST['first-name']);
    $last_name = clean_string($_POST['last-name']);
    $email = clean_string($_POST['email']);
    $password = clean_string($_POST['password']);
    $confirm_password = clean_string($_POST['confirm-password']);

    //Output variables
    $register_bad_message = '';
    $register_good_message = '';

    require_once($_SERVER['DOCUMENT_ROOT'] . '/recaptcha/recaptchalib.php');
    $privatekey = "6Ldbd8ASAAAAAFz8VT29H5w4WLNjsbI-mFY2QkaC";
    $resp = recaptcha_check_answer ($privatekey,
                                    $_SERVER["REMOTE_ADDR"],
                                    $_POST["recaptcha_challenge_field"],
                                    $_POST["recaptcha_response_field"]);
    if (!$resp->is_valid) {
        $errMessage = $resp->error;
        $register_bad_message = '<div class="alert alert-error">The reCAPTCHA you entered wasn\'t correct. Please try again.</div>';?>
        <script>
            $('a.account-register').trigger('click');
        </script><?php
    } else {
        if ($first_name&&$last_name&&$email&&$password&&$confirm_password) {
            if ($password == $confirm_password) {
                if (strlen($password) > 25 || strlen($password) < 6) {
                    $register_bad_message = '<div class="alert alert-error">Please enter a password between 6 and 25 characters.</div>';?>
                    <script>
                        $('a.account-register').trigger('click');
                    </script><?php
                } else {
                    if($db_server) {
                        $first_name = clean_string($first_name);
                        $last_name = clean_string($last_name);
                        $email = clean_string($email);
                        $password = clean_string($password);
                        mysql_select_db($db_database);

                        $taken = mysql_query("SELECT email FROM users WHERE email='$email'");
                        $count = mysql_num_rows($taken);
                        if ($count > 0) {
                            $register_bad_message = '<div class="alert alert-error">The email you have entered is already associated with a Screening account. Please choose another.</div>';?>
                            <script>
                                $('a.account-register').trigger('click');
                            </script><?php
                        } else {
                            if ($_FILES) {
                                //Put file properties into variables
                                $file_name = $_FILES['profile-image']['name'];
                                $file_size = $_FILES['profile-image']['size'];
                                $file_tmp_name = $_FILES['profile-image']['tmp_name'];


                                //Determine filetype
                                switch ($_FILES['profile-image']['type']) {
                                    case 'image/jpeg': $ext = "jpg"; break;
                                    case 'image/png': $ext = "png"; break;
                                    default: $ext = ''; break;
                                }

                                if ($ext) {
                                    //Check filesize
                                    if ($file_size < 5242880) {
                                        //Process file - resize, clean up filename and move to safe location
                                        $image = new SimpleImage();
                                        $image->load($file_tmp_name);
                                        $image->resizeToWidth(250);
                                        $image->save($file_tmp_name);


                                        $n = "$file_name";
                                        $n = ereg_replace("[^A-Za-z0-9.]", "", $n);
                                        $n = strtolower($n);
                                        $n = "avatars/$n";
                                        move_uploaded_file($file_tmp_name, $n);
                                    } else {
                                        $register_bad_message = '<div class="alert alert-error">Please ensure your chosen file is less than 5MB.</div>';?>
                                        <script>
                                            $('a.account-register').trigger('click');
                                        </script><?php
                                    }
                                } else if (!empty($ext)) {
                                    $register_bad_message = '<div class="alert alert-error">Please ensure your image is of filetype .jpg or.png.</div>';?>
                                    <script>
                                        $('a.account-register').trigger('click');
                                    </script><?php
                                }
                            }
                            $password = md5($password);
                            $query = "INSERT INTO users (first_name, last_name, email, password, image) VALUES ('$first_name', '$last_name', '$email', '$password', '$n')";
                            mysql_query($query) or die("Insert failed. " . mysql_error() . "<br />" . $query);
                            $register_good_message = '<div class="alert alert-success">Registration successful!</div>';?>
                            <script>
                                $('a.account-register').trigger('click');
                            </script><?php
                        }
                    } else {
                        $register_bad_message = '<div class="alert alert-error">Error: could not connect to the database.</div>';?>
                        <script>
                            $('a.account-register').trigger('click');
                        </script><?php
                    }
                    require_once("db_close.php");
                }
            } else {
                $register_bad_message = '<div class="alert alert-error">Passwords failed to match. Please try again.</div>';?>
                <script>
                    $('a.account-register').trigger('click');
                </script><?php
            }
        } else {
            $register_bad_message = '<div class="alert alert-error">Please fill in all fields before continuing.</div>';?>
            <script>
                $('a.account-register').trigger('click');
            </script><?php
        }
    }
}

例如,上传 .GIF 文件不会出现错误并显示“注册成功”消息,但是在登录个人资料时,不会显示上传的个人资料照片。我在想代码拒绝文件类型而不是将其存储在数据库中,但仍在处理注册,而不是取消它,这是它应该做的。

4

2 回答 2

1

您必须设置$extfalse而不是 '' 因为这对于 if 语句不是错误的。

default: $ext = false; break;

或者您检查是否$ext不是空字符串:

if ($ext != '') {

为了防止在上传无效文件类型时注册,您必须输入

$password = md5($password);
$query = "INSERT INTO users (first_name, last_name, email, password, image) VALUES ('$first_name', '$last_name', '$email', '$password', '$n')";
mysql_query($query) or die("Insert failed. " . mysql_error() . "<br />" . $query);
$register_good_message = '<div class="alert alert-success">Registration successful!</div>';?>
<script>
$('a.account-register').trigger('click');
</script><?php

if($ext != '') { /*Put code at the end of if*/}或的内部if($ext) { /*Put code at the end of if*/ }。否则,是否存在有效的文件类型并不重要。

于 2013-03-31T11:33:05.853 回答
0

有时,$_FILES['profile-image']['type'] 的内容没有设置。例如,如果您从 cURL 或套接字提交文件。我会尝试从 $_FILES['profile-image']['tmp_name'] 为自己加载 mime 类型

编辑:

我也注意到了这个结构:

  if ($_FILES) { .... }

应该有更好用

  if (isset($_FILES[key])){ .... }
于 2013-03-31T11:30:27.093 回答