首先,关于文件上传的一般注意事项:type
和name
密钥是不安全的。这是因为它们是由客户定义的,它们是将恶意代码注入到您的网站的潜在机制。考虑如果我将文件名设置为../../../../../index.php
,或者如果我将MIME类型设置为image/gif
,但是上传了PHP文件,会发生什么情况?
接下来,具体说明图片上传的重要提示:您不能相信客户端上传的图片数据。也可以将恶意代码嵌入看起来像图像一样的东西。您需要将像素数据从文件中复制出来并创建一个新的。这通常用GD扩展来完成。
接下来,在mkdir()
- 它有第三个参数,如果您将true
传递给第三个参数,它会递归地创建目录树,因此您不需要在单独的操作中创建每个级别。另外请注意(很多事情)mkdir()
可能会失败,如果发生这种情况,它将返回false
,你应该检查这个。
现在,为了回答这个问题,实际(和暂时忽略上述安全问题),这里是我将如何简化代码:
// Configuration
$allowedTypes = array(
"image/gif", "image/jpeg", "image/png", "image/pjpeg"
);
$baseDir = './uploads';
// Check file was uploaded successfully
if ($_FILES['image_name']['error'] > 0) {
exit('Return Code: ' . $_FILES['image_name']['error'] . '<br />');
}
// Check file type
if (!in_array($_FILES["image_name"]["type"], $allowedTypes)) {
exit('Invalid file type: ' . $_FILES['image_name']['type'] . '<br />');
}
// Check/create target directory
list($year, $month, $day) = explode('-', date('y-m-d'));
$targetDir = $baseDir . '/' . $year . '/' . $month . '/' . $day;
if (!is_dir($targetDir)) {
if (!mkdir($targetDir, 0644, true)) {
exit('Failed to create destination directory<br />');
}
}
// Store the uploaded file permanently
$targetPath = $targetDir . '/' . .$_FILES['image_name']['name'];
if (!move_uploaded_file($_FILES['image_name']['tmp_name'], $targetPath)) {
exit('Failed to move temporary file<br />');
}
不过,我不会这么做。
文件上传是一个非常普遍的任务,我使用的通用代码看起来像this。看起来很复杂不是吗?那是因为处理文件上传并不简单。然而,这种复杂性提供了一个很好的直接方式来解决上面列出的安全问题。它内置了对图像的支持,包括用干净简单的方式调整大小的选项。
让我们来看看我们如何可以在你的代码中使用它:
$baseDir = './uploads';
// Very simple autoloader for demo purposes
spl_autoload_register(function($class) {
require strtolower(basename($class)).'.php';
});
// When you instantiate this the $_FILES superglobal is destroyed
// You must access all uploaded files via this API from this point onwards
$uploadManager = new \Upload\Manager;
// Fetches a FileCollection associated with the named form control
$control = $uploadManager->getControl('image_name');
// getControl returns NULL if there are no files associated with that name
if (!isset($control)) {
exit('No file was uploaded in the image_name control');
}
// Check/create target directory
// You still need to do this, it's not magic ;-)
list($year, $month, $day) = explode('-', date('y-m-d'));
$targetDir = $baseDir . '/' . $year . '/' . $month . '/' . $day;
if (!is_dir($targetDir)) {
if (!mkdir($targetDir, 0644, true)) {
exit('Failed to create destination directory');
}
}
// This also handles multiple uploads in a single control, so we need to loop
foreach ($control as $image) {
// You need to determine a file name to use, most likely not from user
// input. This is a high-entropy low collision-risk random approach.
$targetFile = $targetDir . '/' . uniquid('upload-', true);
try {
$image->save($targetFile, true, IMAGETYPE_ORIGINAL);
} catch (\Exception $e) {
exit("Oh noes! Something went badly wrong: ".$e->getMessage());
}
}
这做了很多事情的背景来解决安全问题我在前面列出。它会自动检测到图像是有效的,识别的类型,并将正确的文件扩展名应用于保存的文件。
请使用换行符来提高可读性。 – deceze 2013-03-15 13:23:35
出于好奇你有没有试过'$ target_path ='。/ uploads /'.$ year。'/'。$ month。'/'。$ date。'/'。$ _ FILES [“image_name”] [“name” ];'? – 2013-03-15 13:24:09
对不起,我这里是新的 – User 2013-03-15 13:24:23