upload.php的
<?php
include("connecton.php");
$_SESSION['username']="kyle";
$username = $_SESSION['username'];
if($_POST['submit'])
{
//get file attribute
$name = $_FILES['myfile']['name'];
$tmp_name = $_FILES['myfile']['tmp_name'];
if($name)
{
//start upload process
$location = "avatars/$name";
move_uploaded_file($tmp_name,$location);
$query = mysql_query("UPDATE users SET imagelocation='$location' WHERE username='$username'");
die("Your avatar has been uploaded! <a href='view.php'>HOme</a>");
}
else
die("Please select a file");
}
echo "Welcome, ".$username."!<p>";
echo "Upload Your Image:
<form action='upload.php' method='POST' enctype='multipart/form-data'>
File: <input type='file' name='myfile'> <input type='submit' name='submit' value='upload!'>
</form>
";
?>
view.php
<?php
include("connecton.php");
$username = $_SESSION['username'];
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
if (mysql_num_rows($query)==0)
die ("User not found");
else
{
$row = mysql_fetch_assoc($query);
$location = $row['imagelocation'];
echo "<img src='$location' width='100' height='100'>";
}
?>
答案 0 :(得分:1)
a)您不检查上传是否成功。至少做一些事情:
if ($_FILES['myfile']['error'] === UPLOAD_ERR_OK) {
... upload went ok
}
b)您正在使用原始用户的文件名将其存储在服务器上,并且您不会清理文件名。这并不是为了防止恶意用户设置../../../../../../../../../some/critical/system/file这样的文件名,然后您的脚本会很快覆盖它。
c)您没有检查move_uploaded_file()成功:
if (!move_uploaded_file(...)) {
die("Move failed!")
}
d)您不检查数据库查询是否成功:
$stmt = mysql_query(...)
if ($stmt === FALSE) {
die("MySQL query failed: " . mysql_error());
}
e)您尚未清理$filename,因此恶意用户可以再次破坏您的查询并使用SQL注入攻击直接攻击您的数据库。
f)你正在做SELECT * FROM...来获取图片的位置。你确定你的表包含'imagelocation'行吗?您没有检查插入查询是否使用相同的行成功,所以也许你有一个拼写错误,它确实是“imglocation”。
答案 1 :(得分:0)
upload.php和view.php的第一个php语句应该是这样的:
session_start();