php-上传脚本mkdir，说明同一目录下的文件已经存在，即使文件名不同

我的上传脚本说我的文件在我尝试上传时已经存在，即使文件名不同

<?php
// Start a session for error reporting
session_start();
?>
<?php
// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
    header('Location: index.html');
}

// Call our connection file
include('config.php');

// Check to see if the type of file uploaded is a valid image type
function is_valid_type($file)
{
// This is an array that holds all the valid image MIME types
$valid_types = array("image/jpg", "image/JPG", "image/jpeg", "image/bmp", "image/gif",  "image/png");

if (in_array($file['type'], $valid_types))
    return 1;
return 0;
}

// Just a short function that prints out the contents of an array in a manner that's easy to read
// I used this function during debugging but it serves no purpose at run time for this   example
function showContents($array)
{
echo "<pre>";
print_r($array);
echo "</pre>";
}

// Set some constants
// Grab the User ID we sent from our form
$user_id = $_SESSION['username'];
$category = $_POST['category'];

// This variable is the path to the image folder where all the images are going to be stored
// Note that there is a trailing forward slash
$TARGET_PATH = "img/users/$category/$user_id/";
mkdir($TARGET_PATH, 0755, true);

// Get our POSTed variables
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$contact = $_POST['contact'];
$price = $_POST['price'];
$image = $_FILES['image'];


// Build our target path full string.  This is where the file will be moved do
// i.e.  images/picture.jpg
$TARGET_PATH .= $image['name'];

// Make sure all the fields from the form have inputs
if ( $fname == "" || $lname == "" || $image['name'] == "" )
{
$_SESSION['error'] = "All fields are required";
header("Location: error.php");
exit;
}

// Check to make sure that our file is actually an image
// You check the file type instead of the extension because the extension can easily be faked
if (!is_valid_type($image))
{
$_SESSION['error'] = "You must upload a jpeg, gif, or bmp";
header("Location: error.php");
exit;
}

// Here we check to see if a file with that name already exists
// You could get past filename problems by appending a timestamp to the filename and then continuing
if (file_exists($TARGET_PATH))
{
$_SESSION['error'] = "A file with that name already exists";
header("Location: error.php");
exit;
}


// Lets attempt to move the file from its temporary directory to its new home
if (move_uploaded_file($image['tmp_name'], $TARGET_PATH))
{
// NOTE: This is where a lot of people make mistakes.
// We are *not* putting the image into the database; we are putting a reference to the file's location on the server

$imagename = $image['name'];

$sql = "insert into people (price, contact, category, username, fname, lname, expire, filename) values (:price, :contact, :category, :user_id, :fname, :lname, now() + INTERVAL 1 MONTH, :imagename)";
                            $q = $conn->prepare($sql) or    die("failed!");
                            $q->bindParam(':price', $price, PDO::PARAM_STR);
                            $q->bindParam(':contact', $contact, PDO::PARAM_STR);
                            $q->bindParam(':category', $category, PDO::PARAM_STR);
                            $q->bindParam(':user_id', $user_id, PDO::PARAM_STR);
                            $q->bindParam(':fname', $fname, PDO::PARAM_STR);
                            $q->bindParam(':lname', $lname, PDO::PARAM_STR);
                            $q->bindParam(':imagename', $imagename, PDO::PARAM_STR);
                            $q->execute();


$sql1 = "UPDATE people SET firstname = (SELECT firstname FROM user WHERE username=:user_id1) WHERE username=:user_id2";
                            $q = $conn->prepare($sql1) or die("failed!");
                            $q->bindParam(':user_id1', $user_id, PDO::PARAM_STR);
                            $q->bindParam(':user_id2', $user_id, PDO::PARAM_STR);
                            $q->execute();


$sql2 = "UPDATE people SET surname = (SELECT surname FROM user WHERE username=:user_id1) WHERE username=:user_id2";
                            $q = $conn->prepare($sql2) or die("failed!");
                            $q->bindParam(':user_id1', $user_id, PDO::PARAM_STR);
                            $q->bindParam(':user_id2', $user_id, PDO::PARAM_STR);
                            $q->execute();


header("Location: search.php");
exit;
}
else
{
// A common cause of file moving failures is because of bad permissions on the directory attempting to be written to
// Make sure you chmod the directory to be writeable
$_SESSION['error'] = "Could not upload file.  Check read/write persmissions on the directory";
header("Location: error.php");
exit;
}
?>

---

要验证目录，应使用

is\u dir

从PHP文档的

文件\u存在

如果文件名指定的文件或目录存在，则返回TRUE；否则就错了

从PHP文档的

is_dir

如果文件名存在并且是目录，则返回TRUE，否则返回FALSE

请运行以下测试脚本

---

您可能容易受到目录遍历攻击。谢谢您的回复，请您解释一下我如何保护自己不受此攻击。如果$category或$user包含“…”，您可以拒绝继续，我想。。。然而，在互联网上可能有一个更复杂的解决方案。另外，我不熟悉PHP，所以我真的不知道。谢谢你的回复，这将返回'bool（true）bool（true）'如果该目录不存在，它将永远不会返回

true

，对不起，我是新来的，该目录存在，但文件名不存在，如果目录不存在，我将如何创建目录？如果目录存在，我将如何继续使用脚本？如果目录不存在，我给您的脚本将创建目录

if (! is_dir($TARGET_PATH) &&  is_writable($TARGET_PATH)) {
    #var_dump before
    var_dump(is_dir($TARGET_PATH), is_writable($TARGET_PATH));
    mkdir($TARGET_PATH, 0755, true);
}

#var_dump after
var_dump(is_dir($TARGET_PATH), is_writable($TARGET_PATH));