Question

我正在尽力消毒＆amp;上传一个文件。我在下面有以下内容，它会上传文件并更改扩展名;它也在前端正确显示。

if(isset($_POST['banner_one_submit'])) {

$profile_id = $userLoggedIn;

$target_dir = "assets/images/banner_pics/";
$file_name = $profile_id.md5(time()).basename($_FILES["banner_708"]["name"]);

$target_file = $target_dir . $file_name;
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));

// Real image or fake 
if($uploadOk) {
    $check = getimagesize($_FILES["banner_708"]["tmp_name"]);
    if($check !== false) {
        $uploadOk = 1;
    } else {
        $uploadOk = 0;
        $banner_708_msg = "<div class='alert alert-danger'>Failure.  This is not an image.</div>";
    }
}

// Check if file exists
if (file_exists($target_file)) {
    $uploadOk = 0;
    $banner_708_msg = "<div class='alert alert-danger'>Sorry, this file already exists.</div>";
}

// Check file size
if ($_FILES["banner_708"]["size"] > 500000) {
    $banner_708_msg = "<div class='alert alert-danger'>Sorry, your file is too large.</div>";
    $uploadOk = 0;
}

// Check file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    $uploadOk = 0;
    $banner_708_msg = "<div class='alert alert-danger'>Sorry, only JPG, JPEG, PNG & GIF files are allowed.</div>"; 
}

// Check $uploadOk 
if ($uploadOk == 0) {
    $banner_708_msg = "<div class='alert alert-danger'>Sorry, your file was not uploaded.</div>";
// if ok, upload file
} else {
    if (move_uploaded_file($_FILES["banner_708"]["tmp_name"], $target_file)) {
        $banner_708_msg = "<div class='alert alert-success'>File has been uploaded</div>";
    } else {
        $banner_708_msg = "<div class='alert alert-danger'>Sorry, something went wrong, try again.</div>";
    }
}
    $banner_708_msg = "<div class='alert alert-success'>Image has been uploaded</div>";

    $insert_pic_query = mysqli_query($con, "UPDATE users SET banner_pic='$target_file' WHERE username='$userLoggedIn'");
    header("Location: settings.php");

}
else{
$banner_708_msg = "";
}

然而，我有两个问题。

1）$banner_708_msg中未显示settings.php。我有一个模态的文件输入，以及表单处理程序中的上述代码。在settings.php我只有echo $banner_708_msg;。当页面加载消息时，最后$banner_708_msg = "";正在工作b / c。我只是无法发现为什么没有显示任何前面的声明。为什么这个逻辑不显示$banner_708_msg？

2）我担心我没有做足够的消毒和确保保护。关于我可能在处理程序中更改/添加的内容是否有任何建议？

任何帮助将不胜感激。

这是html表单。

        <div class="modal-container" id="change-banner-1" style="display: none;">
        <form action="settings.php" method="POST" enctype="multipart/form-data">
            <div class="modal-wrap">
                <div class="modal-close close-btn-modal">
                    <i class="fas fa-times"></i>
                </div>
                <div class="modal-header">
                    <h4>Banner Pic 1 - Select an Image</h4>
                </div>
                <div class="modal-section">
                    <p class="semibold">
                        Upload Image:  
                    </p>
                    <div class="mt15 mb10">
                        <input type="file" name="banner_708">
                    </div>

                </div>
                <div class="modal-buttons">
                    <button class="button auto-btn cancel close-btn-modal">Cancel</button>
                    <button class="button auto-btn blue-btn2" name="banner_one_submit">OK</button>
                </div>
            </div>
        </form>
    </div>

在PHP中清理图像上传和显示相应的消息

0 个答案: