我有以下代码将文件上传到服务器。出于某些奇怪的原因,它在IE和Mozilla Firefox中不起作用,但在Chrome中运行完美。有什么问题?
PHP:
// Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762)
$POST_MAX_SIZE = ini_get('post_max_size');
$unit = strtoupper(substr($POST_MAX_SIZE, -1));
$multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1)));
if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE)
HandleError('File exceeded maximum allowed size. Your file size <b>MUST NOT</b> be more than 100kb.');
// Settings
$save_path = 'uploads/'; //getcwd() . '/uploads/';The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
$upload_name = 'userfile'; // change this accordingly
$max_file_size_in_bytes = 102400; // 100k in bytes
$whitelist = array('jpg', 'png', 'gif', 'jpeg'); // Allowed file extensions
$blacklist = array('php', 'php3', 'php4', 'phtml','exe','txt','scr','cgi','pl','shtml'); // Restrict file extensions
$valid_chars_regex = 'A-Za-z0-9_-\s ';// Characters allowed in the file name (in a Regular Expression format)
// Other variables
$MAX_FILENAME_LENGTH = 260;
$file_name = $_FILES[$upload_name]['name'];
//echo "testing-".$file_name."<br>";
//$file_name = strtolower($file_name);
////////$file_extension = end(explode('.', $file_name));
$parts = explode('.', $file_name);
$file_extension = end($parts);
$uploadErrors = array(
0=>'There is no error, the file uploaded with success',
1=>'The uploaded file exceeds the upload max filesize allowed.',
2=>'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form',
3=>'The uploaded file was only partially uploaded',
4=>'No file was uploaded',
6=>'Missing a temporary folder'
);
// Validate the upload
if (!isset($_FILES[$upload_name]))
**HandleError('No upload found for ' . $upload_name);**//THROWS UP ERROR HERE in IE and Firefox
else if (isset($_FILES[$upload_name]['error']) && $_FILES[$upload_name]['error'] != 0)
HandleError($uploadErrors[$_FILES[$upload_name]['error']]);
else if (!isset($_FILES[$upload_name]['tmp_name']) || !@is_uploaded_file($_FILES[$upload_name]['tmp_name']))
HandleError('Upload failed.');
else if (!isset($_FILES[$upload_name]['name']))
HandleError('File has no name.');
HTML:
<form name="upload" action="/upload" method="POST" ENCTYPE="multipart/formdata">
<table border="0" cellpadding="3" cellspacing="3" class="forms">
<tr>
<tr>
<td style="height: 26px" align="center">
<font class="font_upload_picture">'.MSG142.': <input class="font_upload_picture" type="file" name="userfile">
<input type=hidden name=MAX_FILE_SIZE value=102400 />
</td>
</tr>
<tr>
<td colspan="2">
<p align="center">
<input type="image" name="upload" value="upload" src="/img/layout/btnupload.gif" border="0" />
</p>
<p> </p>
<td><a href="/picturecamerasettings"><img src="/img/layout/takepicture.gif" border="0" /><br> '.MSG143.'</a></td>
</tr>
</table>
</form>
答案 0 :(得分:5)
表单的enctype应为multipart/form-data
答案 1 :(得分:0)
你的html中有错误。您错过了tr和td代码的结束标记。另外,请关闭文件上传输入标记/>。
答案 2 :(得分:0)
你的一些逻辑是关闭的:
if (!isset($_FILES[$upload_name]))
将永远通过。对于表单中的每个<input type="file">,无论文件是否实际上传,都会有匹配的$_FILES条目。如果没有上传文件,那么您将收到错误代码4。
else if (isset($_FILES[$upload_name]['error']) && $_FILES[$upload_name]['error'] != 0)
您不必检查是否设置了错误参数。只要$upload_name中包含有效的文件字段名称,error部分就会在那里。不过,您可以查看$_FILES[$upload_name]。万一你的变量设置错误。
您已对此进行了评论,但您通过检查用户提供的文件名来检查有效的上传类型。请记住,$ _FILES中的['type']和['name']参数是用户提供的,可以被破坏。没有任何说明恶意用户无法将bad_virus.exe重命名为cute_puppies.jpg并完成“验证”检查。始终使用Fileinfo之类的内容确定服务器上的MIME类型。检查文件的实际内容,而不仅仅是文件名。
因此,您的上传验证应如下所示:
if (isset($_FILES[$upload_name]) && ($_FILES[$upload_name]['error'] === UPLOAD_ERR_OK)) {
$fi = finfo_open(FILE_INFO_MIME_TYPE);
$mime = finfo_file($fi, $_FILES[$upload_name]['tmp_name']);
if (!in_array($valid_mime_type, $mime)) {
HandleError("Invalid file type $mime");
}
etc...
} else {
HandleError($uploadErrors[$_FILES[$upload_name]['error']]);
}