使用php检查文件大小和类型

时间:2016-01-15 08:44:29

标签: php html

我的任务是制作一个用于将文件上传到目录的php文件。如果文件大小小于512kb且文件类型为txt,zip或jpg,则用户应该只能上载文件。我的代码无法正常工作,因为如果文件不相关而忽略了输出,并且它也没有正确检查文件类型。有人可以帮忙吗?

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Files</title>

</head>

<body>



<form method="POST" enctype="multipart/form-data">
<input type="file" name="dat">
<input type="submit" value="Upload">
<div>(max. size: 512kb, Type: jpg,txt,zip)</div>
</form>
<?php
if(isset($_FILES["dat"])){
    $file=$_FILES["dat"];
    $name=$file["name"];
    $size=$file["size"];
    $location=$file["tmp_name"];
    $location_file=$location . basename($name);


    if($size>512000 or $location_file!="txt" or $location_file!="zip" or $location_file!="jpg"){
        echo "The file is too big or the format is not correct...";
    }
    else{
        move_uploaded_file($location,"files/".$name);
    }
}

?>
</body>

</html>

3 个答案:

答案 0 :(得分:1)

在html方面

<input type="file" name="dat" accept=".txt, .zip, .jpg">

在服务器端:

<?php

$extension = array_pop(explode(".", $_FILES["dat"]["name"])); // return file extension

if(in_array($extension, array("zip", "txt", "jpg"))) // check if extension is valid
{
   if($_FILES['dat']['size'] > 512*1024) // check file size is above limit
   {
       echo "File size above limit";
   }
   else
   {
       move_uploaded_file($_FILES['dat']['tmp_name'],"files/".$_FILES['dat']['name']); // moving uploaded file
   }
}
else
{
  echo "Invalid file type";
}

答案 1 :(得分:0)

对于格式,您需要从文件名中取出扩展名,如下所示: 

$explode = explode(".", $name);
$extension = $explode[sizeof($explode)-1]; //return "txt", "zip" or whatever

if(!in_array($extension, ["zip","txt", "jpg", "jpeg"])){
    //format error: not in correct format
} else {
    //format OK
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mime = finfo_file($finfo, $_FILES['dat']['tmp_name']);
    $allowed_mime_types = [
        "image/jpg",
        "image/jpeg",
        "application/zip",
        "plain/text"
    ];
    if(!in_array($mime, $allowed_mime_types)){
        //error format
    } else {
        //format OK

    }
}

答案 2 :(得分:0)

首先尝试调试上传的文件。其次,不要依赖文件的名称,因为它可以轻易欺骗。 tmp_name为您提供文件临时位置,它将是一个随机字符串。 您最好的选择是在tmp_name上调用getimagesize,对于图像调用finfo_open,为其他文件类型调用new finfoexplode来比较其mime类型,您还可以end名称和in_array使用<?php // you can make sure you have every variable set // then procced further if( isset( $_FILES['dat'], $_FILES['dat']['tmp_name'], $_FILES['dat']['name'], $_FILES['dat']['size'], $_FILES['dat']['error'] ) ){ $accepted = array( 'image/jpeg' => 'jpg', 'text/plain' => 'txt', 'application/zip' => 'zip', ); $file = $_FILES['dat']; $maxSize = 512 * 1024; // 512 KB // check if any upload error occured if( UPLOAD_ERR_OK !== $file['error'] ){ // http://php.net/manual/en/features.file-upload.errors.php echo 'Upload error: ', $file['error'], '<br/>'; // check if file size is bigger than $maxSize } elseif( $file['size'] > $maxSize ){ // if filesize is bigger than upload_max_filesize directive in php.ini // script may timeout without any error // post_max_size and upload_max_filesize need to be high enough echo 'Error: File size is to big!<br/>'; // can proceed further } else { // you will need to have the fileinfo enabled in php ini to use these $finfo = finfo_open( FILEINFO_MIME ); $mime = finfo_file( $finfo, $file['tmp_name'] ); // finfo may give you charset info as well // text/plain; charset=utf-8 or image/jpeg; charset=binary $mime = array_shift( explode( ';', $mime ) ); // change uploaded file name do to security reasons // google "php null char upload" // nice read http://resources.infosecinstitute.com/null-byte-injection-php/ $filename = md5( time() . $file['name'] ) . '.'; // if mime is accepted if( ! array_key_exists( $mime, $accepted ) /* or use isset: ! isset( $accepted[ $mime ] ) */ ){ echo 'Error: Unsupported file type!<br/>'; // you could check if file is image and check min-max width & height // for now move the uploaded file } elseif( ! @move_uploaded_file( $file['tmp_name'], 'files/' . $filename . $accepted[ $mime ] ) ){ echo 'Unable to save uploaded image to <strong>', htmlspecialchars( 'files/' . $filename . $accepted[ $mime ] ), '</strong>'; } else { echo '<a href="files/', htmlspecialchars( $filename . $accepted[ $mime ] ), '" target="_blank">', htmlspecialchars( $filename . $accepted[ $mime ] ), '</a>'; } } } 也会给你一个扩展名。可能会定义一个已接受扩展的数组,并使用td来检查扩展是否有效。 我到PC后会提供示例代码。

LE:承诺使用评论和安全概念进行更复杂的检查 

<table class="ui cellled striped table" id="table">
    <thead>
        <tr>
            <td class="ui sticky">asdasd</td>
            <td class="ui sticky">asdasd</td>
            <td class="ui sticky">asddd</td>
            <td class="ui sticky">asdda</td>
            <td class="ui sticky">asdddd</td>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>raaarararar</td>
            <td>raaarararar</td>
            <td>raaarararar</td>
            <td>raaarararar</td>
            <td>raaarararar</td>
        </tr>
    </tbody>
</table>
相关问题
最新问题