我为照片上传做了同样的上传表格,就像这里一样。是我能做的一切来保护我的网站还是我需要添加一些东西?非常感谢。
问问题
122 次
2 回答
3
我会说不。那里有用于限制上传文件类型的检查:
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
....
该“类型”由浏览器提供,不能依赖于安全目的。有人可以很容易地破解一些东西,发送一个带有“图像/gif”类型的可执行文件,脚本会很乐意接受它。
更好的检查是使用类似getimagesize
或其他 GD 函数之一来验证它实际上是图像。
于 2010-06-25T18:00:52.580 回答
0
我有这个旧功能,我仍然使用它来创建单个图像:
<?
$portal_name = 'yoursite name that will be written as watermark';
/**
*
* @param $only_file_name if isset, returns two files as array with paths to folder where they are saved
* @param $type_action if isset crop, crops the images
* @param $t_h = thumbnail height
* @param $t_w = thumbnail width
* @param $n_h = big height
* @param $n_w = big width
* @param $path1
* @param $path2
* @param $param_file_name = name your file, e.g. rand(0,50); or better time();
* @param $file_object = the $_FILES['filename'];
* @param $file_size = file size in kb
* @param $thumb = shall i crop the thumbnail ?
* @param $watermarkon = use watermark or not
*/
function Make_Single_Picture($only_file_name="on",$type_action="crop", $t_h, $t_w, $n_h, $n_w, $path1, $path2, $param_file_name, $file_object, $file_size, $thumb="crop", $watermarkon="yes") {
global $portal_name;
$Picture=$file_object;
$errors=0;
$image =$Picture["name"];
$uploadedfile = $Picture['tmp_name'];
$watermark = imagecreatefrompng("watermark.png");
imagealphablending($watermark, true);
$watermark_width = imagesx($watermark);
$watermark_height = imagesy($watermark);
if ($image)
{
$filename = stripslashes($Picture['name']);
$extension = getExtension($filename);
$extension = strtolower($extension);
if (($extension != "jpg") && ($extension != "jpeg")
&& ($extension != "png"))
{
return FALSE;
$errors=1;
}
else
{
$size=filesize($Picture['tmp_name']);
if ($size > $file_size*1024)
{
return FALSE;
$errors=1;
}
if($extension=="jpg" || $extension=="jpeg" )
{
$uploadedfile = $Picture['tmp_name'];
$src = imagecreatefromjpeg($uploadedfile);
}
else if($extension=="png" || $extension=="gif")
{
$uploadedfile = $Picture['tmp_name'];
$src = imagecreatefrompng($uploadedfile);
}
else
{
$src = imagecreatefromgif($uploadedfile);
}
list($width,$height)=getimagesize($uploadedfile);
if ($type_action=="crop") {
$newwidth=$n_w;
$newheight=$n_h;
if ($width<$n_w) {
$newwidth=$width;
}
if ($width<$n_h) {
$newheight=$height;
}
$tmp=imagecreatetruecolor($newwidth,$newheight);
}
else {
$newwidth=$n_w;
$newheight=($height/$width)*$newwidth;
if ($width<$n_w) {
$newwidth=$width;
}
if ($width<$n_h) {
$newheight=$height;
}
$tmp=imagecreatetruecolor($newwidth,$newheight);
}
if ($thumb=="crop") {
$newwidth1=$t_w;
$newheight1=$t_h;
$tmp1=imagecreatetruecolor($newwidth1,$newheight1);
}
else {$newwidth1=$t_w;
$newheight1= ($height/$width)*$newwidth1;
$tmp1=imagecreatetruecolor($newwidth1,$newheight1);}
imagecopyresampled($tmp,$src,0,0,0,0,$newwidth,$newheight, $width,$height);
$dest_x = ($newwidth - $watermark_width) + 20;
$dest_y = ($newheight - $watermark_height) + 35;
if ($watermarkon=="yes") {
$color_of_the_text = imagecolorallocate($tmp, 255, 255, 255);
// path to the font that you want to use when printing watermark
$font = "txt_cache/GILLUBCD.TTF";
imagettftext($tmp, 16, 0, $dest_x, $dest_y, $color_of_the_text, $font, $portal_name);
}
imagecopyresampled($tmp1,$src,0,0,0,0,$newwidth1,$newheight1, $width, $height);
$time_and_id = ''.$param_file_name.'_'.$kolko.'';
$image_name=$time_and_id.'.'.$extension;
$filename = "$path1". $image_name;
$filename1 = "$path2". $image_name;
imagejpeg($tmp,$filename,100);
imagejpeg($tmp1,$filename1,100);
imagedestroy($src);
imagedestroy($tmp);
imagedestroy($tmp1);
imagedestroy($watermark);
if ($only_file_name=="on") {
return array('huge'=>$image_name, 'thumb'=>$image_name);
} else {
return array('huge'=>$filename, 'thumb'=>$filename1);
}
}
}
}
/**
*
* @param entire array of files $files to be used BEFORE foreach
* @return will return a valid array of files.
* @author vertazzar
*/
function fixFilesArray(&$files)
{
$names = array( 'name' => 1, 'type' => 1, 'tmp_name' => 1, 'error' => 1, 'size' => 1);
foreach ($files as $key => $part) {
$key = (string) $key;
if (isset($names[$key]) && is_array($part)) {
foreach ($part as $position => $value) {
$files[$position][$key] = $value;
}
unset($files[$key]);
}
}
}
function getExtension($str) {
$i = strrpos($str,".");
if (!$i) { return ""; }
$l = strlen($str) - $i;
$ext = substr($str,$i+1,$l);
return $ext;
}
?>
用法 :
$files = Make_Single_Picture('off', 'crop', 200,100,800,600,'path/big/', 'path/small', time(), $_FILES['filename'], 1000, 'crop', 'yes');
<? echo $files['huge']; echo $files['thumb']; ?>
注意:这个函数/代码与原始版本略有不同,因为它的变量是其他语言的,所以你会更难理解什么是什么,所以你可能想先仔细测试一下。
于 2010-06-25T20:45:46.857 回答