PHP:图像上传器错误

时间:2011-11-19 11:56:24

标签: php image-uploading

我正在制作图像上传器,但我收到错误:只允许JPG,JPEG和PNG图像类型。

上传者没有获得正确的扩展名。我做错了什么? 获得扩展的功能在第33行。第59行的广告是我试图获得扩展的地方。

<?php session_start(); if ($_SESSION['username']) {} else { header("location:index.php"); exit(); } ?>

<?php

include 'db_connect.php';
$uploadSubmit = mysql_real_escape_string($_POST['imageSubmit']);

if ($uploadSubmit)
{
if ($_FILES['image'])
{
    $contents = file_get_contents($_FILES['image']['tmp_name']);

    if (stristr($contents, "<?php") || stristr($contents, "system(") || stristr($contents, "exec(") ||
    stristr($contents, "mysql") || stristr($contents, "include(") || stristr($contents, "require(") ||
    stristr($contents, "include_once(") || stristr($contents, "require_once(") || stristr($contents, "echo'") || stristr($contents, 'echo"'))
    {
        echo 'Are you really trying to hack this site? Enjoy your upload b&.';
        $sql = "INSERT INTO banned (ip) VALUES ('".$_SERVER['REMOTE_ADDR']."')";
        $result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
        die();
    }
}

else
{
    $sql = "SELECT * FROM banned WHERE ip='".$_SERVER['REMOTE_ADDR']."'";
    $result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);
    $num_rows = mysql_fetch_row($result);

    if ($num_rows[0] == 0)
    {
        function getExtension($str)
        {
            $i = strrpos($str,".");

            if (!$i)
            {
                return "";
            }

            $I = strlen($str) - $i;
            $ext = substr($str,$i+1,$I);
            return $ext;
        }

        define ("MAX_SIZE","5000");
        $error = 0;
        $file = $_FILES['image']['name'];

        if ($file = '')
        {
            echo 'You didn\'t select an image to upload.';
            $error = 1;
        }

        else
        {
            $filename = stripslashes($file);
            $extension = getExtension($filename);
            $extension = strtolower($extension);

            if (($extension != "jpg") && ($extension != "jpeg") && ($extension != "png"))
            {
                echo 'Only JPG, JPEG and PNG are allowed image types.';
                $error = 1;
            }

            else
            {
                $size = filesize($_FILES['image']['tmp_name']);

                if ($size > MAX_SIZE*1024)
                {
                    echo 'The max allowed filesize is 5MB.';
                    $error = 1;
                }

                $time = time();
                $newImageName = 'wally-'.$time.'.'.$extension.'';
                $imageFullPath = 'images/'.$newImageName.'';

                if (!$errors)
                {
                    if (!move_uploaded_file($_FILES['image']['tmp_name'], $imageFullPath))
                    {
                        $error = 1;
                    }
                }

                if ($uploadSubmit && !$error)
                {
                    include 'class.imageResizer.php';
                    $work = new ImgResizer($imageFullPath);
                    $work -> resize(125, "thumbs/".$newImageName."");

                    $uploader = $_SESSION['username'];
                    $sql = "INSERT INTO images (image, uploader, validated) VALUES ('$newImageName','$uploader','0')";
                    $result = mysql_query($sql) or trigger_error(mysql_error()."".$sql);

                    echo 'Your image has been uploaded and awaiting validation.';
                    echo 'The page will redirect in 2 seconds.';
                    echo '<meta http-equiv="Refresh" content="2;url=http://www.wallpapers.puffys.net">';

                }
            }
        }
    }

    else
    {
        die("You are banned from uploading.");
    }
}
}

?>

2 个答案:

答案 0 :(得分:0)

尝试使用以下内容:

$allowedExtensions = array("jpg","jpeg","png"); 
if (!in_array(end(explode(".",strtolower($file))),$allowedExtensions)) { 
   echo 'Only JPG, JPEG and PNG are allowed image types.';
   $error = 1;
} 

答案 1 :(得分:0)

$i = strrpos($str,".");

if (!$i)

不是测试strrpos函数是否返回正值的好方法。

您应该使用===运算符,如下所示:

$i = strrpos($str,".");

if ($pos === false)