我有一个有效的上传文件脚本,现在我希望通过限制文件扩展名使脚本安全,我不知道该怎么做
<?php
$extensions = array("docx","pdf","png");
if(isset($_FILES['files'])){
$errors= array();
foreach($_FILES['files']['tmp_name'] as $key => $tmp_name ){
$file_name = $key.$_FILES['files']['name'][$key];
$file_size =$_FILES['files']['size'][$key];
$file_tmp =$_FILES['files']['tmp_name'][$key];
$file_type=$_FILES['files']['type'][$key];
$query="INSERT into upload_data (`USER_ID`,`FILE_NAME`,`FILE_SIZE`,`FILE_TYPE`) VALUES('$user_id','$file_name','$file_size','$file_type'); ";
$desired_dir="uploads";
if(empty($errors)==true){
if(is_dir($desired_dir)==false){
mkdir("$desired_dir", 0700); // Create directory if it does not exist
}
if(is_dir("$desired_dir/".$file_name)==false){
move_uploaded_file($file_tmp,"user_data/".$file_name);
}else{ //rename the file if another one exist
$new_dir="user_data/".$file_name.time();
rename($file_tmp,$new_dir) ;
}
mysql_query($query);
}else{
print_r($errors);
}
}
if(empty($error)){
echo "Successfully uploaded";
}
}
?>
以下是我正在使用的表单提交方法
<form action="" method="POST" enctype="multipart/form-data">
<input type="file" name="files[]" multiple="" class="btn btn-inverse btn-icon input-block-level" />
<input type="submit" class="save btn btn2" style="padding: 0px; margin: 10px; "/>
</form>
答案 0 :(得分:1)
来自php.net | Handling file uploads:
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['upfile']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
),
true
)) {
throw new RuntimeException('Invalid file format.');
}
完整的上传代码:
<强> upload.php的
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['upfile']['error']) ||
is_array($_FILES['upfile']['error'])
) {
throw new RuntimeException('Invalid parameters.');
}
// Check $_FILES['upfile']['error'] value.
switch ($_FILES['upfile']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Exceeded filesize limit.');
default:
throw new RuntimeException('Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['upfile']['size'] > 1000000) {
throw new RuntimeException('Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['upfile']['tmp_name']),
array(
'jpg' => 'image/jpeg',
'png' => 'image/png',
'gif' => 'image/gif',
),
true
)) {
throw new RuntimeException('Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
if (!move_uploaded_file(
$_FILES['upfile']['tmp_name'],
sprintf('./uploads/%s.%s',
sha1_file($_FILES['upfile']['tmp_name']),
$ext
)
)) {
throw new RuntimeException('Failed to move uploaded file.');
}
echo 'File is uploaded successfully.';
} catch (RuntimeException $e) {
echo $e->getMessage();
}
?>
<强> upload.html
<form action="upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="upfile" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>
备注:
1 - mysql_*扩展程序很久以前已被弃用,使用mysqli或PDO prepared statements
2 - Windows位用户必须在extension=php_fileinfo.dll中取消注释php.ini才能启用Fileinfo扩展。来自docs
(kudos @Jigar)
3 - 确保与uploads在同一目录中存在名为php的可写文件夹。
答案 1 :(得分:0)
只需使用pathinfo()即可获得file extension
<?php
$extensions = array("docx","pdf","png");
$_FILES["file"]["name"] ="file_name.png";
$ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);;
if(in_array($ext,$extensions))
{
echo $ext." accepted extenstion";
}
else
{
echo $ext." this file extenstion not accepted";
}
?>
注意:
警告mysql_query,mysql_fetch_array,mysql_connect等..扩展在PHP 5.5.0中已弃用,并且已在PHP 7.0.0中删除。 相反,应该使用MySQLi或PDO_MySQL扩展。