如何安全地将图像上传到服务器?

时间:2012-12-25 20:58:50

标签: php html mysql database

这是我的简单HTML代码......

<html>
    <body>
        <form action="photo.php" method="post" enctype="multipart/form-data">
            <label for="file">Filename:</label>
            <input type="file" name="file" id="file"><br>
            <input type="submit" name="submit" value="Submit">
        </form>
    </body>
</html> 

这是我将照片上传到服务器的PHP代码....任何人都可以告诉我如何将此代码连接到服务器并将图像路径保存在目录中并将图像信息插入数据库....我读到,将图像直接插入数据库并不好,你应该保存图像路径并将图像信息插入数据库......我现在正在使用本地主机......请帮帮我

<?php
    #check for session
    if (isset($_POST['PHPSESSID']))
        session_id($_POST['PHPSESSID']);
    else if (isset($_GET['PHPSESSID']))
        session_id($_GET['PHPSESSID']);
    else
    {
        HandleError('No Session was found.');
    }

    session_start();
    // Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
    $POST_MAX_SIZE = ini_get('post_max_size');
    $unit = strtoupper(substr($POST_MAX_SIZE, -1));
    $multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));

    if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE)
        HandleError('POST exceeded maximum allowed size.');

    // Settings
    $save_path = getcwd() . '/uploads/';  // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
    $upload_name = 'Filedata';  // change this accordingly
    $max_file_size_in_bytes = 2097152;  // 2MB in bytes
    $whitelist = array('jpg', 'png', 'gif', 'jpeg'); // Allowed file extensions
    $backlist = array('php', 'php3', 'php4', 'phtml','exe'); // Restrict file extensions
    $valid_chars_regex = 'A-Za-z0-9_-\s '; // Characters allowed in the file name (in a Regular Expression format)

    // Other variables     
    $MAX_FILENAME_LENGTH = 260;
    $file_name = '';
    $file_extension = '';
    $uploadErrors = array(
        0=>'There is no error, the file uploaded with success',
        1=>'The uploaded file exceeds the upload_max_filesize directive in php.ini',
        2=>'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form',
        3=>'The uploaded file was only partially uploaded',
        4=>'No file was uploaded',
        6=>'Missing a temporary folder'
    );

    // Validate the upload
    if (!isset($_FILES[$upload_name]))
        HandleError('No upload found in \$_FILES for ' . $upload_name);
    else if (isset($_FILES[$upload_name]['error']) && $_FILES[$upload_name]['error'] != 0)
        HandleError($uploadErrors[$_FILES[$upload_name]['error']]);
    else if (!isset($_FILES[$upload_name]['tmp_name']) || !@is_uploaded_file($_FILES[$upload_name]['tmp_name']))
        HandleError('Upload failed is_uploaded_file test.');
    else if (!isset($_FILES[$upload_name]['name']))
        HandleError('File has no name.');

    // Validate the file size (Warning: the largest files supported by this code is 2MB)
    $file_size = @filesize($_FILES[$upload_name]['tmp_name']);
    if (!$file_size || $file_size > $max_file_size_in_bytes)
        HandleError('File exceeds the maximum allowed size');

    if ($file_size &amp;lt;= 0)
        HandleError('File size outside allowed lower bound'); // Validate its a MIME Images (Take note that not all MIME is the same across different browser, especially when its zip file)
    if(!eregi('image/', $_FILES[$upload_name]['type']))
        HandleError('Please upload a valid file!'); // Validate that it is an image

    $imageinfo = getimagesize($_FILES[$upload_name]['tmp_name']);
    if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/png' && isset($imageinfo))
        HandleError('Sorry, we only accept GIF and JPEG images');

    // Validate file name (for our purposes we'll just remove invalid characters)
    $file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', '', strtolower(basename($_FILES[$upload_name]['name'])));
    if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH)
        HandleError('Invalid file name');

    // Validate that we won't over-write an existing file
    if (file_exists($save_path . $file_name))
        HandleError('File with this name already exists');

    // Validate file extension
    if(!in_array(end(explode('.', $file_name)), $whitelist))
        HandleError('Invalid file extension');
    if(in_array(end(explode('.', $file_name)), $backlist))
        HandleError('Invalid file extension');

    // Rename the file to be saved 
    $file_name = md5($file_name. time());

    // Verify! Upload the file
    if (!@move_uploaded_file($_FILES[$upload_name]['tmp_name'], $save_path.$file_name)) 
        HandleError('File could not be saved.');

    exit(0);

    /* Handles the error output. */
    function HandleError($message) {
        echo $message;
        exit(0);
    }

?>

这是我连接并插入MySQL数据库的PHP代码

<?php
    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("simple_login", $con);

    mysql_query("INSERT INTO Photo (Photo)
    VALUES ('file')");

    mysql_close($con);
?> 

1 个答案:

答案 0 :(得分:2)

$file_name = md5($file_name. time()); - 你MD5文件名,这意味着你也在散列文件扩展名。

你应该这样做:

$extention = end(explode('.', $file_name));

$file_name = md5($file_name. time()).$extention;

保存文件路径:

你可以这样做:

$file_name_2 = getcwd().'/uploads/'.$file_name

mysql_query("INSERT INTO Photo (Photo) VALUES ('$file_name_2')");