Question

我写了下面的php函数来上传文件但是我很难使用允许的文件类型数组。如果我只分配一种文件类型，即image / png，它工作正常。如果我指定多个，它不起作用。我使用in_array（）函数来确定允许的文件类型，但我无法弄清楚如何正确使用它。

谢谢！

function mcSingleFileUpload($mcUpFileName, $mcAllowedFileTypes, $mcFileSizeMax){
    if(!empty($mcUpFileName)){

        $mcIsValidUpload = true;

        // upload directory
        $mcUploadDir = UPLOAD_DIRECTORY;

        // current file properties
        $mcFileName = $_FILES[$mcUpFileName]['name'];
        $mcFileType = $_FILES[$mcUpFileName]['type'];
        $mcFileSize = $_FILES[$mcUpFileName]['size'];
        $mcTempFileName = $_FILES[$mcUpFileName]['tmp_name'];
        $mcFileError = $_FILES[$mcUpFileName]['error'];

        // file size limit
        $mcFileSizeLimit = $mcFileSizeMax;

        // convert bytes to kilobytes
        $mcBytesInKb = 1024;
        $mcFileSizeKb = round($mcFileSize / $mcBytesInKb, 2);

        // create array for allowed file types
        $mcAllowedFTypes = array($mcAllowedFileTypes);

        // create unique file name
        $mcUniqueFileName = date('m-d-Y').'-'.time().'-'.$mcFileName;

        // if file error
        if($mcFileError > 0)
        {
            $mcIsValidUpload = false;
            mcResponseMessage(true, 'File error!');
        }

        // if no file error
        if($mcFileError == 0)
        {
            // check file type
            if( !in_array($mcFileType, $mcAllowedFTypes) ){
                $mcIsValidUpload = false;
                mcResponseMessage(true, 'Invalid file type!');
            }

            // check file size
            if( $mcFileSize > $mcFileSizeLimit ){
                $mcIsValidUpload = false;
                mcResponseMessage(true, 'File exceeds maximum limit of '.$mcFileSizeKb.'kB');
            }

            // move uploaded file to assigned directory
            if($mcIsValidUpload == true){
                if(move_uploaded_file($mcTempFileName, $mcUploadDir.$mcUniqueFileName)){
                    mcResponseMessage(false, 'File uploaded successfully!');
                }
                else{
                    mcResponseMessage(true, 'File could not be uploaded!');
                }
            }
        }
    }
}
//mcRequiredFile('mcFileUpSingle','please select a file to upload!');
mcSingleFileUpload('mcFileUpSingle', 'image/png,image/jpg', 2097152);

Answer 1

更改此行：

$mcAllowedFTypes = array($mcAllowedFileTypes);

对此：

$mcAllowedFTypes = explode(',',$mcAllowedFileTypes);

Answer 2

不要依赖来自$_FILES的不安全文件类型，这是不安全的，请从文件内容中获取它。

然后定义允许的文件类型，检查上传文件类型是否在白名单中。

if(in_array(mime_type($file_path),$allowed_mime_types)){
    // save the file
}

$allowed_mime_types = array(
        'image/jpeg',
        'image/jpg',
        'image/png',
        'image/gif',
        'video/mp4'
);


/*
For PHP>=5.3.0, you can use php's `finfo_file`([finfo_file](https://www.php.net/manual/en/function.finfo-file.php)) function to get the file infomation about the file.

For PHP<5.3.0, you can use your's system's `file` command to get the file information.
*/
function mime_type($file_path)
{
    if (function_exists('finfo_open')) {            
        $finfo = new finfo(FILEINFO_MIME_TYPE, null);
        $mime_type = $finfo->file($file_path);
    }
    if (!$mime_type && function_exists('passthru') && function_exists('escapeshellarg')) {
        ob_start();
        passthru(sprintf('file -b --mime %s 2>/dev/null', escapeshellarg($file_path)), $return);
        if ($return > 0) {
            ob_end_clean();
            $mime_type = null;
        }
        $type = trim(ob_get_clean());
        if (!preg_match('#^([a-z0-9\-]+/[a-z0-9\-\.]+)#i', $type, $match)) {
            $mime_type = null;
        }
        $mime_type = $match[1];
    }
    return $mime_type;
}

PHP文件类型验证

2 个答案: