使用move_uploaded_file上传文件名中带单引号的文件不起作用

时间:2013-12-12 17:06:38

标签: php

我尝试使用php将图像上传到系统中,它与其他文件一起正常工作但是当图像包含单引号时,该功能不起作用。下面的代码用于使用定义的类上传和调整图像大小。 这是我的代码。

$filename = strtolower($_FILES['file']['name']);
$filename=mysql_real_escape_string($filename);
$filename=stripslashes($filename);
$whitelist = array('jpg', 'png', 'gif', 'jpeg'); #example of white list
//$backlist = array('php', 'php3', 'php4', 'phtml','exe'); #example of black list
if(@in_array(end(explode('.', $filename)), $whitelist))
{
$direc=$school_index;
If(!file_exists($direc)) {

/* wherever this particular script will be installed, I want to create a subfolder */

/* Step 1. I need to know the absolute path to where I am now, ie where this script is running from...*/
$thisdir = getcwd();

/* Step 2. From this folder, I want to create a subfolder called "myfiles".  Also, I want to try and make this folder world-writable (CHMOD 0777). Tell me if success or failure... */

if(mkdir($thisdir ."/$direc" , 0777))
{
   $msg= "Directory has been created successfully...";
}
else
{
   $msg= "Failed to create directory...";
}

}




$filename = strtolower($_FILES['file']['name']);


$file=strtolower($_FILES['file']['name']);
$path =$direc;
$ext=pathinfo($file,PATHINFO_EXTENSION);
$name=pathinfo($path,PATHINFO_FILENAME);

    echo "File alredy exists .So name is changed automatically & moved";
    //$path1="$folder/";
    $leng=strlen($name);

    $name=substr($name,$leng);


    $new_name=$name.$_SESSION['candidate_photo_name'].".".$ext;
    $new_name=addslashes($new_name);
    $upload=mysql_real_escape_string($_FILES['file']['tmp_name']);
    $file_upload=move_uploaded_file($_FILES['file']['tmp_name'],$school_index."/".$new_name);
    if(!$file_upload){
$int=$_SESSION['candidate_id'];
 $serial=$_SESSION['candidate_serial'];
$msg="Sory,we are unable to upload this file due to file name to contain unrequired characters,please try again later!";

$_SESSION["photo_entry_msg"]=$msg;                  

header("location:client.php?page=upload_student_photo&student_id=$int&serial=$serial"); exit;

    }
$filename=mysql_real_escape_string($new_name);
$filename=$school_index."/".$filename;

require"php/image_resize.class.php";
$resize = new ResizeImage($filename);
$resize->resizeTo(100, 100, 'maxHeight');
$resize->saveImage($filename);
//$resize->move_uploaded_file($_FILES["file"]["tmp_name"],"images/" . $_FILES["file"]["name"]);

            // our sql query
            //echo $_POST['st_int'];
                    $sql_update = mysql_query("UPDATE  photo_entry SET photo='{$filename}' where id='{$int}'") or die("".mysql_error());
                    //$sql_select = mysql_query("SELECT teacher_name from  class_teachers where id='{$int}'");

                    // 

                    if(!$sql_update){
                    $int=$int;
                         $msg=strtoUpper('Error occured during uploading signature for '.$name);
                     header("location:client.php?page=view_upload_photo&t_id=$int&e=".urlencode($msg)); exit;

                    }
                    elseif($sql_update){

                    $int=$int;
                         $msg=strtoUpper('Congratulation for uploading photo for '.$_SESSION['cand_name']);
                         $_SESSION["photo_entry_msg"]=$msg;
                     header("location:client.php?page=view_upload_photo"); exit;



                    }
                }

1 个答案:

答案 0 :(得分:1)

最快的方法是用其他内容替换文件名中的单引号,例如使用下划线。