[英]PHP: File Validation randomly works
I have a file-type
validation that checks for image
extensions. 我有一个检查image
扩展名的file-type
验证。
However, when I try to upload files such as .exe
or .mp3
and almost anything other than the allowed extension : 但是,当我尝试上传.exe
或.mp3
文件以及除允许的扩展名之外的几乎所有内容时:
$allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
It randomly works, I mean, sometimes it echoes out error and sometimes the errors are not being echo-ed. 我的意思是,它随机起作用,有时会回显错误,有时不会回显错误。
This is the line that checks for the extension.... thingy 这是检查扩展名的行。。。
if (in_array($image_ext, $allowed_ext) === false){
$errors[] = '<font color="red">*File type is not allowed.</font>';
}
Full code: 完整代码:
if (isset($_FILES['image'], $_POST['album_id'])){
$image_name = $_FILES['image']['name'];
$image_size = $_FILES['image']['size'];
$image_temp = $_FILES['image']['tmp_name'];
$allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
//seperate thingies
$tmp = explode('.', $image_name);
$image_ext = strtolower(end($tmp));
$album_id = $_POST['album_id'];
//error array
$errors = array();
if (empty($image_name)){
$errors[] = '<font color="red">*Please choose a photo.</font>';
}
if (empty($album_id)){
$errors[] = '<font color="red">Invalid album.</font>';
} else {
// not allowed extension?
if (!$allowed_ext){
$errors[] = '<font color="red">*The file type is not supported</font>';
}
if (in_array($image_ext, $allowed_ext) === false){
$errors[] = '<font color="red">*File type is not allowed.</font>';
}
// 5 MB file
if ($image_size > 5242880 ){
$errors[] = '<font color="red">*Maximum file size is 2MB.</font>';
}
if (album_check($album_id) === false){
$errors[] = '<font color="red">*Couldn\'t upload to that album.</font>';
}
// puting this in here prevent undefined index error.
$caption = $_POST['caption'];
if (empty($caption)){
$errors[] = '<font color="red">*Caption cannot be empty</font>';
}
}
// check if error, if error, echo errors
if (!empty($errors)){
foreach ($errors as $error){
echo $error, '<br />';
}
} else {
// upload the image if no error
upload_image($image_temp, $image_ext, $album_id);
header('Location: view_album.php?album_id='.$album_id);
exit();
}
Just checking for extention might not be secure depending on your setup. 根据您的设置,仅检查扩展范围可能并不安全。 I could upload a PHP file with the jpg
extention and if your server isnt setup properly, I could execute it. 我可以上传一个具有jpg
扩展名的PHP文件,如果您的服务器未正确设置,我可以执行它。 I guess a better check would be for filetype after uploading. 我猜最好是在上传后检查文件类型。
<?php
$allowed_types=array(
'image/gif',
'image/jpeg',
'image/png',
);
if (isset($_FILES['image']) {
//as the type in $_FILES isnt checked by php, use this.
$finfo = new finfo(FILEINFO_MIME);
$type = $finfo->file($_FILES['image']['tmp_name']);
$mime = substr($type, 0, strpos($type, ';'));
if (in_array($mime, $allowed_types)
{
//allowed
}
}
?>
But you could use the same approach for the extention. 但是您可以对扩展使用相同的方法。
<?php
$allowed_ext=array(
'gif',
'jpg',
'jpeg',
'png',
);
if (isset($_FILES['image']) {
$t = explode('.',basename($_FILES['image']['name']));
$ext = str_to_lower(array_pop($t));
if (in_array($ext, $allowed_ext)
{
//allowed
}
}
?>
don't put image extension and size validation in else
clause, removing else
clause from your code 不要将图像扩展名和大小验证放在else
子句中,请从代码中删除else
子句
if (isset($_FILES['image'], $_POST['album_id']))
{
$image_name = $_FILES['image']['name'];
$image_size = $_FILES['image']['size'];
$image_temp = $_FILES['image']['tmp_name'];
$allowed_ext = array('jpg', 'jpeg', 'png', 'gif');
//seperate thingies
$tmp = explode('.', $image_name);
$image_ext = strtolower(end($tmp));
$album_id = $_POST['album_id'];
//error array
$errors = array();
if (empty($image_name))
{
$errors[] = '<font color="red">*Please choose a photo.</font>';
}
if (empty($album_id))
{
$errors[] = '<font color="red">Invalid album.</font>';
}
// not allowed extension?
if (!$allowed_ext){
$errors[] = '<font color="red">*The file type is not supported</font>';
}
if (in_array($image_ext, $allowed_ext) === false){
$errors[] = '<font color="red">*File type is not allowed.</font>';
}
// 5 MB file
if ($image_size > 5242880 ){
$errors[] = '<font color="red">*Maximum file size is 2MB.</font>';
}
if (album_check($album_id) === false){
$errors[] = '<font color="red">*Couldn\'t upload to that album.</font>';
}
// puting this in here prevent undefined index error.
$caption = $_POST['caption'];
if (empty($caption)){
$errors[] = '<font color="red">*Caption cannot be empty</font>';
}
// check if error, if error, echo errors
if (!empty($errors))
{
foreach ($errors as $error)
{
echo $error, '<br />';
}
}
else
{
// upload the image if no error
upload_image($image_temp, $image_ext, $album_id);
header('Location: view_album.php?album_id='.$album_id);
exit();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.