GetImageSize()不应该返回FALSE
[英]GetImageSize() not returning FALSE when it should
问题描述
Working on a little upload script here. 
在此处处理一些上传脚本。 I'm trying to check if the uploaded image really is an image and not just a renamed PHP file. 我正在尝试检查上传的图像是否真的是图像,而不仅仅是重命名的PHP文件。
When the script is posted I can print the array with 发布脚本后,我可以使用
foreach ($_FILES['images']['name'] as $key => $value){
print_r(getimagesize($_FILES['images']['tmp_name'][$key]));
That works just fine, so it won't return false. 那很好,所以不会返回false。 But even if I upload a file that is not an image, it won't give false. 但是,即使我上传的文件不是图像,也不会出现错误。 It just returns nothing at all, and the rest of my script just processes the thing like an image. 它根本什么也不返回,我脚本的其余部分仅像图像一样处理。
Could anyone tell me what I am doing wrong? 谁能告诉我我在做什么错?
5 个解决方案
解决方案1
4 2012-05-05 18:52:07
Upload 上载
you can not use getimagesize on $_FILES['images']['tmp_name'][$key] directly .. you need to copy it into your system first before you can use it 您不能直接在$_FILES['images']['tmp_name'][$key]上使用getimagesize ..您需要先将其复制到系统中,然后才能使用它
Use $_FILES['images']['size'][$key] temporarily 临时使用$_FILES['images']['size'][$key]
Or 要么
move_uploaded_file($_FILES['images']['tmp_name'][$key], $destination);
print_r(getimagesize($destination));
Fake Image 假图片
Please not that $_FILES['images']['type'][$key] can be faked 请不要假冒$_FILES['images']['type'][$key]
Using Fake image Headers 使用伪造的图片标题
Example 例
file_put_contents("fake.png", base64_decode('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAABGdBTUEAALGPC/xhBQAAAAZQTFRF////
AAAAVcLTfgAAAAF0Uk5TAEDm2GYAAAABYktHRACIBR1IAAAACXBIWXMAAAsSAAALEgHS3X78AAAAB3RJTUUH0gQCEx05cq
KA8gAAAApJREFUeJxjYAAAAAIAAUivpHEAAAAASUVORK5CYII='));
Uploading fake.png 上载fake.png
array
'name' =>
array
0 => string 'fake.png' (length=8)
'type' =>
array
0 => string 'image/png' (length=9)
'tmp_name' =>
array
0 => string 'C:\Apache\xampp\tmp\php44F.tmp' (length=30)
'error' =>
array
0 => int 0
'size' =>
array
0 => int 167
Validate Image 验证图像
Usage 用法
var_dump ( getimagesizeReal ( "fake.png" ) );
Function Used 使用功能
function getimagesizeReal($image) {
$imageTypes = array (
IMAGETYPE_GIF,
IMAGETYPE_JPEG,
IMAGETYPE_PNG,
IMAGETYPE_SWF,
IMAGETYPE_PSD,
IMAGETYPE_BMP,
IMAGETYPE_TIFF_II,
IMAGETYPE_TIFF_MM,
IMAGETYPE_JPC,
IMAGETYPE_JP2,
IMAGETYPE_JPX,
IMAGETYPE_JB2,
IMAGETYPE_SWC,
IMAGETYPE_IFF,
IMAGETYPE_WBMP,
IMAGETYPE_XBM,
IMAGETYPE_ICO
);
$info = getimagesize ( $image );
$width = @$info [0];
$height = @$info [1];
$type = @$info [2];
$attr = @$info [3];
$bits = @$info ['bits'];
$channels = @$info ['channels'];
$mime = @$info ['mime'];
if (! in_array ( $type, $imageTypes )) {
return false; // Invalid Image Type ;
}
if ($width <= 1 && $height <= 1) {
return false; // Invalid Image Size ;
}
if($bits === 1)
{
return false; // One Bit Image .. You don't want that ;
}
return $info ;
}
解决方案2
1 2012-05-05 19:23:14
Firstly, you can use getimagesize on $_FILES['images']['tmp_name'], so that's not an issue. 首先,可以在$ _FILES ['images'] ['tmp_name']上使用getimagesize,因此这不是问题。
If you want to check if the file is an image, then try this: 如果要检查文件是否为图像,请尝试以下操作:
if(isset($_POST['submit'])) {
$check = getimagesize($_FILES['images']['tmp_name']);
if($check !== false) {
echo 'File is an image - ' . $check['mime'];
}
else {
echo 'File is not an image';
}
}
解决方案3
1 2012-05-05 19:31:40
I'd like to recommend against trusting the results of getimagesize() when deciding whether to place the uploaded file anywhere in your document root. 在决定是否将上载的文件放在文档根目录中的任何位置时,我建议不要信任getimagesize()的结果。 That's because PHP code embedded in GIF files (titled like image.gif.php ) will be identified as images by getimagesize() , but serving them will run the PHP code inside them in addition to displaying the image. 这是因为嵌入在GIF文件(标题为image.gif.php )中的PHP代码将由getimagesize()标识为图像,但是为它们提供服务除了显示图像外,还将在其中运行PHP代码。 Here is some more information on the issue. 这是有关此问题的更多信息。
The article linked above recommends setting up a separate controller through which all the user uploaded files are served. 上面链接的文章建议设置一个单独的控制器,通过该控制器可以为所有用户上传的文件提供服务。 Files read with readfile() are not parsed when accessed through the local filesystem. 通过本地文件系统访问时,不会解析使用readfile()读取的文件。
解决方案4
0 2012-05-05 19:08:02
You can simply use $_FILES['images']['type'] . 您可以简单地使用$_FILES['images']['type'] 。 it'll give you the type of file uploaded. 它会为您提供上传文件的类型。 Then check it againt octate stream or other executable file. 然后再次检查它的八进制流或其他可执行文件。 If so then do not allow it. 如果是这样,那就不允许它。
解决方案5
0 2015-07-24 11:26:25
@user1362916 If you are uploading multiple images with HTML then perhaps you need to add one more array like this. @ user1362916如果要用HTML上传多个图像,则可能需要再添加一个这样的数组。
if(isset($_POST['submit'])) {
$check = getimagesize($_FILES['images']['tmp_name'][$i]);
if($check !== false) {
echo 'File is an image - ' . $check['mime'];
}
else {
echo 'File is not an image';
}
}
Here check [i] because this is for multiple file upload. 在此检查[i],因为这是用于多个文件的上载。
Below is full script 以下是完整的脚本
<!DOCTYPE html>
<html>
<body>
<form action="#" method="post" enctype="multipart/form-data">
Select image to upload:
<input name="my_files[]" type="file" multiple="multiple" />
<input type="submit" value="Upload Image" name="submit">
</form>
<?php
if (isset($_FILES['my_files']))
{
$myFile = $_FILES['my_files'];
$fileCount = count($myFile["name"]);
for ($i = 0; $i <$fileCount; $i++)
{
$error = $myFile["error"][$i];
if ($error == '4') // error 4 is for "no file selected"
{
echo "no file selected";
}
else
{
if(isset($_POST['submit'])) {
$check = getimagesize($_FILES['my_files']['tmp_name'][$i]);
if($check !== false) {
echo 'File is an image - ' . $check['mime'];
}
else {
echo 'File is not an image';
}
}
}
}
}
?>
</body>
</html>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.