堆栈内存溢出
  简体   繁体   English

PHP:文件验证随机有效

[英]PHP: File Validation randomly works

 原文  2013-05-14 07:06:26       php/ image/ file/ validation

问题描述

I have a file-type validation that checks for image extensions. 我有一个检查image扩展名的file-type验证。

However, when I try to upload files such as .exe or .mp3 and almost anything other than the allowed extension : 但是,当我尝试上传.exe.mp3文件以及除允许的扩展名之外的几乎所有内容时: 

 $allowed_ext = array('jpg', 'jpeg', 'png', 'gif');

It randomly works, I mean, sometimes it echoes out error and sometimes the errors are not being echo-ed. 我的意思是,它随机起作用,有时会回显错误,有时不会回显错误。

This is the line that checks for the extension.... thingy 这是检查扩展名的行。。。 

    if (in_array($image_ext, $allowed_ext) === false){
        $errors[] = '<font color="red">*File type is not allowed.</font>';
    }

Full code: 完整代码: 

if (isset($_FILES['image'], $_POST['album_id'])){
    $image_name = $_FILES['image']['name'];
    $image_size = $_FILES['image']['size'];
    $image_temp = $_FILES['image']['tmp_name'];


$allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
//seperate thingies
$tmp = explode('.', $image_name);
$image_ext = strtolower(end($tmp));

$album_id = $_POST['album_id'];
//error array
$errors = array();

if (empty($image_name)){
    $errors[] = '<font color="red">*Please choose a photo.</font>';
} 
if (empty($album_id)){  
    $errors[] = '<font color="red">Invalid album.</font>';
} else {
        // not allowed extension?
    if (!$allowed_ext){
        $errors[] = '<font color="red">*The file type is not supported</font>';
    }

    if (in_array($image_ext, $allowed_ext) === false){
        $errors[] = '<font color="red">*File type is not allowed.</font>';
    }   
                    // 5 MB file
    if ($image_size > 5242880 ){
        $errors[] = '<font color="red">*Maximum file size is 2MB.</font>';
    }
    if (album_check($album_id) === false){
        $errors[] = '<font color="red">*Couldn\'t upload to that album.</font>';
    }
    // puting this in here prevent undefined index error. 
    $caption = $_POST['caption'];
    if (empty($caption)){
        $errors[] = '<font color="red">*Caption cannot be empty</font>';
    }

}
// check if error, if error, echo errors
if (!empty($errors)){
    foreach ($errors as $error){
        echo $error, '<br />';
    }
} else {
// upload the image if no error
    upload_image($image_temp, $image_ext, $album_id);
    header('Location: view_album.php?album_id='.$album_id);
    exit();

  }

2 个解决方案

解决方案1
 1 已采纳  2013-05-14 07:17:01

Just checking for extention might not be secure depending on your setup. 根据您的设置,仅检查扩展范围可能并不安全。 I could upload a PHP file with the jpg extention and if your server isnt setup properly, I could execute it. 我可以上传一个具有jpg扩展名的PHP文件,如果您的服务器未正确设置,我可以执行它。 I guess a better check would be for filetype after uploading. 我猜最好是在上传后检查文件类型。 

<?php
$allowed_types=array(
    'image/gif',
    'image/jpeg',
    'image/png',
);

if (isset($_FILES['image']) {
  //as the type in $_FILES isnt checked by php, use this.
  $finfo = new finfo(FILEINFO_MIME);
  $type = $finfo->file($_FILES['image']['tmp_name']);
  $mime = substr($type, 0, strpos($type, ';'));

  if (in_array($mime, $allowed_types)
  {
     //allowed
  }
}
?>

But you could use the same approach for the extention. 但是您可以对扩展使用相同的方法。 

<?php
$allowed_ext=array(
    'gif',
    'jpg',
    'jpeg',
    'png',
);

if (isset($_FILES['image']) {
  $t = explode('.',basename($_FILES['image']['name']));
  $ext = str_to_lower(array_pop($t));
  if (in_array($ext, $allowed_ext)
  {
     //allowed
  }
}
?>

解决方案2
 1  2013-05-14 07:18:47

don't put image extension and size validation in else clause, removing else clause from your code 不要将图像扩展名和大小验证放在else子句中,请从代码中删除else子句 

if (isset($_FILES['image'], $_POST['album_id']))
{
   $image_name = $_FILES['image']['name'];
   $image_size = $_FILES['image']['size'];
   $image_temp = $_FILES['image']['tmp_name'];

   $allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
   //seperate thingies
   $tmp = explode('.', $image_name);
   $image_ext = strtolower(end($tmp));

   $album_id = $_POST['album_id'];

  //error array
  $errors = array();

 if (empty($image_name))
 {
     $errors[] = '<font color="red">*Please choose a photo.</font>';
 } 

if (empty($album_id))
{  
  $errors[] = '<font color="red">Invalid album.</font>';
}

// not allowed extension?
if (!$allowed_ext){
    $errors[] = '<font color="red">*The file type is not supported</font>';
}

if (in_array($image_ext, $allowed_ext) === false){
    $errors[] = '<font color="red">*File type is not allowed.</font>';
}   
                // 5 MB file
if ($image_size > 5242880 ){
    $errors[] = '<font color="red">*Maximum file size is 2MB.</font>';
}
if (album_check($album_id) === false){
    $errors[] = '<font color="red">*Couldn\'t upload to that album.</font>';
}
// puting this in here prevent undefined index error. 
$caption = $_POST['caption'];
if (empty($caption)){
    $errors[] = '<font color="red">*Caption cannot be empty</font>';
}


// check if error, if error, echo errors
if (!empty($errors))
{
  foreach ($errors as $error)
  {
      echo $error, '<br />';
  }
}
else 
{
  // upload the image if no error
  upload_image($image_temp, $image_ext, $album_id);
  header('Location: view_album.php?album_id='.$album_id);
  exit();
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 随机包含php文件 - Include php file randomly 在PHP中随机选择文件 - Randomly select file in PHP PHP验证还可以,但是 - PHP validation kinda works BUT 使用 PHP 中的 IMAP 将附件下载到目录,随机工作 - Downloading attachments to directory with IMAP in PHP, randomly works PHP / JavaScript验证部分起作用 - PHP/Javascript validation works partially PHP登录工作,然后随机被提出要求重新登录 - PHP Login works but then randomly gets kicked out asked to relogin PHP上传文件验证 - PHP Upload File Validation 在php中上传文件的验证 - validation for file upload in php PHP文件类型验证 - PHP File Type Validation PHP文件中的HTML验证 - HTML Validation in PHP File
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM