PHP中的扩展验证

Question

I've been trying and retrying at this code trying to get the file extension and conditionally check against it, but due to the files placement in flow I can't see what's going into $ext.

Can anyone pinpoint what is going wrong here? It's just manipulating the uploads file for dropzone.js.

if (!empty($_FILES)) {

    $tempFile = $_FILES['file']['tmp_name'];          //3             

    $targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds;  //4

    $targetFile =  $targetPath. $_FILES['file']['name'];  //5

    $ext = end(explode(".", $_FILES['file']['tmp_name']));

    if(filesize($tempFile) < 6000000 and $ext == "png"){
        move_uploaded_file($tempFile,$targetFile); //6
    }

}

Answer 1

You are using tmp_name variable to get extension which will always give you file with .tmp extension.

In place of

$ext = end(explode(".", $_FILES['file']['tmp_name']));

Use this :

$ext = end(explode(".", $_FILES['file']['name']));

Update :- But it is better to validate the file type by checking its mime time(as said by @castis), as some user might rename its file with some extension and upload it.

Below is a code sample to validate a text file, you can use similar method to validate image type.

$file_type =  mime_content_type($_FILES['img']['tmp_name']);

if($file_type == 'text/plain'){
    echo "file type is text";
}
?>

<form action="#" method="post" enctype="multipart/form-data">
  <input type="file" name="img">
  <input type="submit" value="Submit">
</form>