Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/234.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
在php上载脚本中通过扩展限制上载_Php - Fatal编程技术网
Fatal编程技术网
  • php/
  • 在php上载脚本中通过扩展限制上载

在php上载脚本中通过扩展限制上载

php

在php上载脚本中通过扩展限制上载,php,Php,我有一个工作上传文件脚本,现在我想通过限制文件扩展名来保证脚本的安全,我不知道怎么做 <?php $extensions = array("docx","pdf","png"); if(isset($_FILES['files'])){ $errors= array(); foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){ $file_name = $key.$_FILES['fil

我有一个工作上传文件脚本,现在我想通过限制文件扩展名来保证脚本的安全,我不知道怎么做

<?php
$extensions = array("docx","pdf","png");
if(isset($_FILES['files'])){
    $errors= array();
    foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){
        $file_name = $key.$_FILES['files']['name'][$key];
        $file_size =$_FILES['files']['size'][$key];
        $file_tmp =$_FILES['files']['tmp_name'][$key];
        $file_type=$_FILES['files']['type'][$key];      
        $query="INSERT into upload_data (`USER_ID`,`FILE_NAME`,`FILE_SIZE`,`FILE_TYPE`) VALUES('$user_id','$file_name','$file_size','$file_type'); ";
        $desired_dir="uploads";
        if(empty($errors)==true){
            if(is_dir($desired_dir)==false){
                mkdir("$desired_dir", 0700);        // Create directory if it does not exist
            }

            if(is_dir("$desired_dir/".$file_name)==false){
                move_uploaded_file($file_tmp,"user_data/".$file_name);
            }else{                                  //rename the file if another one exist
                $new_dir="user_data/".$file_name.time();
                 rename($file_tmp,$new_dir) ;               
            }
            mysql_query($query);            
        }else{
                print_r($errors);
        }
    }
    if(empty($error)){
        echo "Successfully uploaded";
    }
}
?>

来自:

完整上传代码:

upload.php


<?php

header('Content-Type: text/plain; charset=utf-8');

try {

    // Undefined | Multiple Files | $_FILES Corruption Attack
    // If this request falls under any of them, treat it invalid.
    if (
        !isset($_FILES['upfile']['error']) ||
        is_array($_FILES['upfile']['error'])
    ) {
        throw new RuntimeException('Invalid parameters.');
    }

    // Check $_FILES['upfile']['error'] value.
    switch ($_FILES['upfile']['error']) {
        case UPLOAD_ERR_OK:
            break;
        case UPLOAD_ERR_NO_FILE:
            throw new RuntimeException('No file sent.');
        case UPLOAD_ERR_INI_SIZE:
        case UPLOAD_ERR_FORM_SIZE:
            throw new RuntimeException('Exceeded filesize limit.');
        default:
            throw new RuntimeException('Unknown errors.');
    }

    // You should also check filesize here.
    if ($_FILES['upfile']['size'] > 1000000) {
        throw new RuntimeException('Exceeded filesize limit.');
    }

    // DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
    // Check MIME Type by yourself.
    $finfo = new finfo(FILEINFO_MIME_TYPE);
    if (false === $ext = array_search(
        $finfo->file($_FILES['upfile']['tmp_name']),
        array(
            'jpg' => 'image/jpeg',
            'png' => 'image/png',
            'gif' => 'image/gif',
        ),
        true
    )) {
        throw new RuntimeException('Invalid file format.');
    }

    // You should name it uniquely.
    // DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
    // On this example, obtain safe unique name from its binary data.
    if (!move_uploaded_file(
        $_FILES['upfile']['tmp_name'],
        sprintf('./uploads/%s.%s',
            sha1_file($_FILES['upfile']['tmp_name']),
            $ext
        )
    )) {
        throw new RuntimeException('Failed to move uploaded file.');
    }

    echo 'File is uploaded successfully.';

} catch (RuntimeException $e) {

    echo $e->getMessage();

}

?>








upload.html


<form action="upload.php" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="upfile" id="fileToUpload">
    <input type="submit" value="Upload Image" name="submit">
</form>




选择要上载的图像:


注释

1-
mysql.*
扩展很久以前就被弃用了,请使用
mysqli
PDO

2-
Windows
用户必须在
php.ini
中取消注释
extension=php\u fileinfo.dll
才能启用
fileinfo
扩展。从
(Jigar的荣誉)

3-确保名为
uploads
可写文件夹与
php
存在于同一目录中,只需使用
pathinfo()
获取
文件扩展名


    <?php

    $extensions = array("docx","pdf","png");

    $_FILES["file"]["name"] ="file_name.png";

    $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);;

    if(in_array($ext,$extensions))
    {
        echo $ext." accepted extenstion";
    }
    else
    {
        echo $ext." this file extenstion not accepted";
    }

    ?>






注意:

警告mysql\u查询、mysql\u获取\u数组、mysql\u连接等。。扩展在PHP5.5.0中被弃用,在PHP7.0.0中被删除。
相反,应该使用MySQLi或PDO_MySQL扩展


哇!17分钟已经过去了,我没有看到任何警告OP不要使用
mysql.*
函数,它们已被弃用。注意:Windows用户必须在php.ini中包含捆绑的php\u fileinfo.dll文件才能启用
fileinfo
扩展名。从@PedroLobito,您的完整脚本显示一个错误=“无效参数”。始终显示此错误,而不将文件存储到server@PedroLobito你能帮忙吗,这个脚本一直显示“无效参数”在页面加载和不将文件存储到服务器上&dbOn您的表单更改为:
您永远不应该仅依靠文件扩展名来检查文件类型,因为它很容易被欺骗,您应该检查MIME类型。谢谢您提供的信息。我将删除这个答案@PedroLobito

<form action="upload.php" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="upfile" id="fileToUpload">
    <input type="submit" value="Upload Image" name="submit">
</form>



    <?php

    $extensions = array("docx","pdf","png");

    $_FILES["file"]["name"] ="file_name.png";

    $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);;

    if(in_array($ext,$extensions))
    {
        echo $ext." accepted extenstion";
    }
    else
    {
        echo $ext." this file extenstion not accepted";
    }

    ?>