使用move_uploaded_file()进行运动图像麻烦
[英]Trouble moving picture with move_uploaded_file()
问题描述
I'm trying to set up some image handling for a webpage I'm creating, but I can't get move_uploaded_file() to work properly... I keep getting these errors: 
我正在尝试为正在创建的网页设置一些图像处理,但无法使move_uploaded_file()正常工作...我一直在遇到以下错误:
Warning: move_uploaded_file(/htdocs/PHP/Pictures/picture.jpg) [function.move-uploaded-file]: failed to open stream: No such file or directory in /opt/lampp/htdocs/PHP/useredit.php on line 17
Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpY0KKxH' to '/htdocs/PHP/Pictures/picture.jpg' in /opt/lampp/htdocs/PHP/useredit.php on line 17
My code looks like this: 我的代码如下所示:
if(isset($_FILES['image_file']))
{
$img_tmp_name = $_FILES['image_file']['name'];
$img_dir = "/htdocs/PHP/Pictures/";
$img_name = $img_dir . $img_tmp_name;
if(move_uploaded_file($_FILES['image_file']['tmp_name'],$img_name))
{
list($width,$height,$type,$attr) = getimagesize($img_name);
switch($type)
{
case 1:
$ext = ".gif";
break;
case 2:
$ext = ".jpg";
break;
case 3:
$ext = ".png";
break;
default:
echo "Image format not accepted";
}
$query = "UPDATE profile_pic SET img_path=$img_name WHERE uid='$uid'";
$img_id = mysql_insert_id();
$new_img_name = $img_dir . $img_id . $ext;
rename($img_name, $new_img_name);
}
}
if(mysql_query($query)or die('Error: ' . mysql_error()))
{
header("Refresh:0; url='control.php'");
}
The folder PHP/Pictures exist. 文件夹PHP / Pictures存在。 How do I fix this? 我该如何解决?
2 个解决方案
解决方案1
0 2012-08-15 18:43:29
You've got some major security and logistical problems with this code: 此代码存在一些主要的安全性和后勤问题:
a) You don't check if the upload succeeded and proceed as if it has. a)您无需检查上传是否成功,就可以继续进行。 There's exactly ONE way for an upload to succeed, and far too many reasons for it to fail. 上传成功只有一种方法,失败的原因太多。
if ($_FILES['image_file']['error'] !== UPLOAD_ERR_OK) {
die("Upload failed with error code {$_FILES['image_file']['error']}");
}
b) You're using the filename provided by the user in the path to save on your server. b)您正在使用用户在路径中提供的文件名保存在服务器上。 A malicious user can embed pathing data in that filename and specify any location on your server they want. 恶意用户可以在该文件名中嵌入路径数据,并在服务器上指定所需的任何位置。 eg 例如
$_FILES['image_file']['name'] = '../../../../../../etc/passwd';
解决方案2
0 2012-08-15 19:53:54
$img_dir should contain a path relative to you current file and not from root folder. $ img_dir应该包含相对于您当前文件的路径,而不是相对于根文件夹的路径。
if your current directory contains upload_file.php (ur code) and a folder hierarchy like PHP/Pictures/ 如果当前目录包含upload_file.php(我们的代码)和文件夹层次结构(如PHP / Pictures /
then $img_dir="/PHP/Pictures/"; 然后$img_dir="/PHP/Pictures/";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.