在php上载脚本中通过扩展限制上载
我有一个工作上传文件脚本,现在我想通过限制文件扩展名来保证脚本的安全,我不知道怎么做在php上载脚本中通过扩展限制上载,php,Php,我有一个工作上传文件脚本,现在我想通过限制文件扩展名来保证脚本的安全,我不知道怎么做 <?php $extensions = array("docx","pdf","png"); if(isset($_FILES['files'])){ $errors= array(); foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){ $file_name = $key.$_FILES['fil
<?php
$extensions = array("docx","pdf","png");
if(isset($_FILES['files'])){
$errors= array();
foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){
$file_name = $key.$_FILES['files']['name'][$key];
$file_size =$_FILES['files']['size'][$key];
$file_tmp =$_FILES['files']['tmp_name'][$key];
$file_type=$_FILES['files']['type'][$key];
$query="INSERT into upload_data (`USER_ID`,`FILE_NAME`,`FILE_SIZE`,`FILE_TYPE`) VALUES('$user_id','$file_name','$file_size','$file_type'); ";
$desired_dir="uploads";
if(empty($errors)==true){
if(is_dir($desired_dir)==false){
mkdir("$desired_dir", 0700); // Create directory if it does not exist
}
if(is_dir("$desired_dir/".$file_name)==false){
move_uploaded_file($file_tmp,"user_data/".$file_name);
}else{ //rename the file if another one exist
$new_dir="user_data/".$file_name.time();
rename($file_tmp,$new_dir) ;
}
mysql_query($query);
}else{
print_r($errors);
}
}
if(empty($error)){
echo "Successfully uploaded";
}
}
?>
来自:
完整上传代码:
upload.php
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['upfile']['error']) ||
is_array($_FILES['upfile']['error'])
) {
throw new RuntimeException('Invalid parameters.');
}
// Check $_FILES['upfile']['error'] value.
switch ($_FILES['upfile']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Exceeded filesize limit.');
default:
throw new RuntimeException('Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['upfile']['size'] > 1000000) {
throw new RuntimeException('Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['upfile']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
),
true
)) {
throw new RuntimeException('Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
if (!move_uploaded_file(
$_FILES['upfile']['tmp_name'],
sprintf('./uploads/%s.%s',
sha1_file($_FILES['upfile']['tmp_name']),
$ext
)
)) {
throw new RuntimeException('Failed to move uploaded file.');
}
echo 'File is uploaded successfully.';
} catch (RuntimeException $e) {
echo $e->getMessage();
}
?>
upload.html
<form action="upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="upfile" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
选择要上载的图像:
注释:
1-mysql.*
扩展很久以前就被弃用了,请使用mysqli
或PDO
2-Windows
用户必须在php.ini
中取消注释extension=php\u fileinfo.dll
才能启用fileinfo
扩展。从
(Jigar的荣誉)
3-确保名为uploads
的可写文件夹与php
存在于同一目录中,只需使用pathinfo()
获取文件扩展名
<?php
$extensions = array("docx","pdf","png");
$_FILES["file"]["name"] ="file_name.png";
$ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);;
if(in_array($ext,$extensions))
{
echo $ext." accepted extenstion";
}
else
{
echo $ext." this file extenstion not accepted";
}
?>
注意:
警告mysql\u查询、mysql\u获取\u数组、mysql\u连接等。。扩展在PHP5.5.0中被弃用,在PHP7.0.0中被删除。
相反,应该使用MySQLi或PDO_MySQL扩展
哇!17分钟已经过去了,我没有看到任何警告OP不要使用mysql.*
函数,它们已被弃用。注意:Windows用户必须在php.ini中包含捆绑的php\u fileinfo.dll文件才能启用fileinfo
扩展名。从@PedroLobito,您的完整脚本显示一个错误=“无效参数”。始终显示此错误,而不将文件存储到server@PedroLobito你能帮忙吗,这个脚本一直显示“无效参数”在页面加载和不将文件存储到服务器上&dbOn您的表单更改为:您永远不应该仅依靠文件扩展名来检查文件类型,因为它很容易被欺骗,您应该检查MIME类型。谢谢您提供的信息。我将删除这个答案@PedroLobito
<form action="upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="upfile" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
<?php
$extensions = array("docx","pdf","png");
$_FILES["file"]["name"] ="file_name.png";
$ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);;
if(in_array($ext,$extensions))
{
echo $ext." accepted extenstion";
}
else
{
echo $ext." this file extenstion not accepted";
}
?>