Php 如何安全地将图像上载到服务器?
这是我的简单HTML代码Php 如何安全地将图像上载到服务器?,php,html,mysql,database,Php,Html,Mysql,Database,这是我的简单HTML代码 <html> <body> <form action="photo.php" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file"><
<html>
<body>
<form action="photo.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
这是我上传照片到服务器的PHP代码…谁能告诉我如何将此代码连接到服务器,并将图像路径保存在目录中,然后将图像信息插入数据库…我读到了,直接将图像插入数据库不好,您应该保存图像路径并将图像信息插入数据库…我正在使用本地主机…请帮助我
<?php
#check for session
if (isset($_POST['PHPSESSID']))
session_id($_POST['PHPSESSID']);
else if (isset($_GET['PHPSESSID']))
session_id($_GET['PHPSESSID']);
else
{
HandleError('No Session was found.');
}
session_start();
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
$POST_MAX_SIZE = ini_get('post_max_size');
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE)
HandleError('POST exceeded maximum allowed size.');
// Settings
$save_path = getcwd() . '/uploads/'; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
$upload_name = 'Filedata'; // change this accordingly
$max_file_size_in_bytes = 2097152; // 2MB in bytes
$whitelist = array('jpg', 'png', 'gif', 'jpeg'); // Allowed file extensions
$backlist = array('php', 'php3', 'php4', 'phtml','exe'); // Restrict file extensions
$valid_chars_regex = 'A-Za-z0-9_-\s '; // Characters allowed in the file name (in a Regular Expression format)
// Other variables
$MAX_FILENAME_LENGTH = 260;
$file_name = '';
$file_extension = '';
$uploadErrors = array(
0=>'There is no error, the file uploaded with success',
1=>'The uploaded file exceeds the upload_max_filesize directive in php.ini',
2=>'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form',
3=>'The uploaded file was only partially uploaded',
4=>'No file was uploaded',
6=>'Missing a temporary folder'
);
// Validate the upload
if (!isset($_FILES[$upload_name]))
HandleError('No upload found in \$_FILES for ' . $upload_name);
else if (isset($_FILES[$upload_name]['error']) && $_FILES[$upload_name]['error'] != 0)
HandleError($uploadErrors[$_FILES[$upload_name]['error']]);
else if (!isset($_FILES[$upload_name]['tmp_name']) || !@is_uploaded_file($_FILES[$upload_name]['tmp_name']))
HandleError('Upload failed is_uploaded_file test.');
else if (!isset($_FILES[$upload_name]['name']))
HandleError('File has no name.');
// Validate the file size (Warning: the largest files supported by this code is 2MB)
$file_size = @filesize($_FILES[$upload_name]['tmp_name']);
if (!$file_size || $file_size > $max_file_size_in_bytes)
HandleError('File exceeds the maximum allowed size');
if ($file_size &lt;= 0)
HandleError('File size outside allowed lower bound'); // Validate its a MIME Images (Take note that not all MIME is the same across different browser, especially when its zip file)
if(!eregi('image/', $_FILES[$upload_name]['type']))
HandleError('Please upload a valid file!'); // Validate that it is an image
$imageinfo = getimagesize($_FILES[$upload_name]['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/png' && isset($imageinfo))
HandleError('Sorry, we only accept GIF and JPEG images');
// Validate file name (for our purposes we'll just remove invalid characters)
$file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', '', strtolower(basename($_FILES[$upload_name]['name'])));
if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH)
HandleError('Invalid file name');
// Validate that we won't over-write an existing file
if (file_exists($save_path . $file_name))
HandleError('File with this name already exists');
// Validate file extension
if(!in_array(end(explode('.', $file_name)), $whitelist))
HandleError('Invalid file extension');
if(in_array(end(explode('.', $file_name)), $backlist))
HandleError('Invalid file extension');
// Rename the file to be saved
$file_name = md5($file_name. time());
// Verify! Upload the file
if (!@move_uploaded_file($_FILES[$upload_name]['tmp_name'], $save_path.$file_name))
HandleError('File could not be saved.');
exit(0);
/* Handles the error output. */
function HandleError($message) {
echo $message;
exit(0);
}
?>
下面是我连接并插入MySQL数据库的php代码
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("simple_login", $con);
mysql_query("INSERT INTO Photo (Photo)
VALUES ('file')");
mysql_close($con);
?>
$file\u name=md5$file\u name。时间;-您需要MD5文件名,这意味着您还需要对文件扩展名进行哈希运算
您应该这样做:
$extention=endexplode'.',$file\u name
$file\u name=md5$file\u name。时间。$延长
要保存文件路径,请执行以下操作:
你可以做:
$file\u name\u 2=getcwd./uploads/。$file\u name
mysql_query插入照片值“$file_name_2” 我认为这不是要求人们为你做事的合适地方。没有必要建立黑名单,因为它不允许任何不在白名单中的扩展。你需要帮助吗?因为在另一个问题中,你说我知道如何使用php将数据发布到服务器并将其保存到数据库中,但在这里你说你不知道如何在数据库中插入路径……那么,你到底在哪里?如果你更精确,我们可以帮助你更好地了解输入字段,如文本,它工作得非常好,但当我尝试上传文件时,它只会给我错误,它不允许我插入它…好的,但什么错误?你是如何使用这些数据的?这是所需要的信息,而不是文件上传的代码墙,因为在上传过程中你没有提到错误。对传递给代码的变量进行一些基本调试,首先,我应该将$file_name_2=getcwd./uploads/'.$file_name…放在不同的位置,但我收到了一条错误消息…TXS我认为您收到了错误消息,因为您的MySQL脚本位于不同的文件中,并且$file_名称没有传递给脚本。我建议在文件中包含MySQL脚本。例如:if@move_upload_file$_FILES[$upload_name]['tmp_name'],$save_path.$file_name{HandleError'无法保存文件。;}其他{include'script.php';}