1

我有一个file-type检查image扩展的验证。

但是,当我尝试上传文件时,例如.exeor.mp3以及除允许的扩展名之外的几乎任何内容:

 $allowed_ext = array('jpg', 'jpeg', 'png', 'gif');

它随机工作,我的意思是,有时它会回显错误,有时错误不会被回显。

这是检查扩展名的行.... thingy

    if (in_array($image_ext, $allowed_ext) === false){
        $errors[] = '<font color="red">*File type is not allowed.</font>';
    }

完整代码:

if (isset($_FILES['image'], $_POST['album_id'])){
    $image_name = $_FILES['image']['name'];
    $image_size = $_FILES['image']['size'];
    $image_temp = $_FILES['image']['tmp_name'];


$allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
//seperate thingies
$tmp = explode('.', $image_name);
$image_ext = strtolower(end($tmp));

$album_id = $_POST['album_id'];
//error array
$errors = array();

if (empty($image_name)){
    $errors[] = '<font color="red">*Please choose a photo.</font>';
} 
if (empty($album_id)){  
    $errors[] = '<font color="red">Invalid album.</font>';
} else {
        // not allowed extension?
    if (!$allowed_ext){
        $errors[] = '<font color="red">*The file type is not supported</font>';
    }

    if (in_array($image_ext, $allowed_ext) === false){
        $errors[] = '<font color="red">*File type is not allowed.</font>';
    }   
                    // 5 MB file
    if ($image_size > 5242880 ){
        $errors[] = '<font color="red">*Maximum file size is 2MB.</font>';
    }
    if (album_check($album_id) === false){
        $errors[] = '<font color="red">*Couldn\'t upload to that album.</font>';
    }
    // puting this in here prevent undefined index error. 
    $caption = $_POST['caption'];
    if (empty($caption)){
        $errors[] = '<font color="red">*Caption cannot be empty</font>';
    }

}
// check if error, if error, echo errors
if (!empty($errors)){
    foreach ($errors as $error){
        echo $error, '<br />';
    }
} else {
// upload the image if no error
    upload_image($image_temp, $image_ext, $album_id);
    header('Location: view_album.php?album_id='.$album_id);
    exit();

  }
4

2 回答 2

1

根据您的设置,仅检查扩展可能并不安全。我可以上传带有jpg扩展名的 PHP 文件,如果您的服务器设置不正确,我可以执行它。我想更好的检查是上传后的文件类型。

<?php
$allowed_types=array(
    'image/gif',
    'image/jpeg',
    'image/png',
);

if (isset($_FILES['image']) {
  //as the type in $_FILES isnt checked by php, use this.
  $finfo = new finfo(FILEINFO_MIME);
  $type = $finfo->file($_FILES['image']['tmp_name']);
  $mime = substr($type, 0, strpos($type, ';'));

  if (in_array($mime, $allowed_types)
  {
     //allowed
  }
}
?>

但是您可以使用相同的方法进行扩展。

<?php
$allowed_ext=array(
    'gif',
    'jpg',
    'jpeg',
    'png',
);

if (isset($_FILES['image']) {
  $t = explode('.',basename($_FILES['image']['name']));
  $ext = str_to_lower(array_pop($t));
  if (in_array($ext, $allowed_ext)
  {
     //allowed
  }
}
?>
于 2013-05-14T07:17:01.740 回答
1

不要将图像扩展和大小验证放在子句中,从代码中else删除子句else

if (isset($_FILES['image'], $_POST['album_id']))
{
   $image_name = $_FILES['image']['name'];
   $image_size = $_FILES['image']['size'];
   $image_temp = $_FILES['image']['tmp_name'];

   $allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
   //seperate thingies
   $tmp = explode('.', $image_name);
   $image_ext = strtolower(end($tmp));

   $album_id = $_POST['album_id'];

  //error array
  $errors = array();

 if (empty($image_name))
 {
     $errors[] = '<font color="red">*Please choose a photo.</font>';
 } 

if (empty($album_id))
{  
  $errors[] = '<font color="red">Invalid album.</font>';
}

// not allowed extension?
if (!$allowed_ext){
    $errors[] = '<font color="red">*The file type is not supported</font>';
}

if (in_array($image_ext, $allowed_ext) === false){
    $errors[] = '<font color="red">*File type is not allowed.</font>';
}   
                // 5 MB file
if ($image_size > 5242880 ){
    $errors[] = '<font color="red">*Maximum file size is 2MB.</font>';
}
if (album_check($album_id) === false){
    $errors[] = '<font color="red">*Couldn\'t upload to that album.</font>';
}
// puting this in here prevent undefined index error. 
$caption = $_POST['caption'];
if (empty($caption)){
    $errors[] = '<font color="red">*Caption cannot be empty</font>';
}


// check if error, if error, echo errors
if (!empty($errors))
{
  foreach ($errors as $error)
  {
      echo $error, '<br />';
  }
}
else 
{
  // upload the image if no error
  upload_image($image_temp, $image_ext, $album_id);
  header('Location: view_album.php?album_id='.$album_id);
  exit();
}
于 2013-05-14T07:18:47.647 回答