使用If語句上傳的PHP文件驗證

Question

嗨，我對php很陌生，但是我一直在關注一些教程，但是它們似乎沒有用，所以我嘗試適應它們。 我已經測試了這段代碼，它的工作到了一定程度，但是還有其他我無法理解的地方，php文件沒有上傳（很好），但是詳細信息仍被寫入到datbase中，盡管$ ok是為了設置為0（不好）。 如果在這里說明發生了什么，可能會更容易：

-用戶可以上傳gif或jpeg文件。 詳細信息已添加到數據庫。 -用戶無法上傳任何文件，因為將使用默認值。 詳細信息已添加到數據庫。 -用戶不應上傳任何其他文件。 db上不應有任何記錄，用戶應重試。

到目前為止，我的代碼：

<?php

//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
$ok=0; 


//This gets all the other information from the form
$name= mysql_real_escape_string ($_POST['nameMember']);
$bandMember= mysql_real_escape_string ($_POST['bandMember']);
$pic= mysql_real_escape_string ($_FILES['photo']['name']);
$about= mysql_real_escape_string ($_POST['aboutMember']);
$bands= mysql_real_escape_string ($_POST['otherBands']);

$uploaded_size=$_FILES['photo']['file_size']; 
if ($uploaded_size > 350000)
{
echo "Your file is too large, 35Kb is the largest file you can upload.<br>";
$ok=0;
} 
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
} 

if (!($uploaded_type =="image/jpeg"))
{
echo "JPEG<br>";$ok=1;
} 

if ($uploaded_type =="image/gif")
{
echo "GIf<br>";$ok=1;
} 

if (empty($pic)){
echo "You haven't uploaded a photo, a default will be used instead.<br/>";$ok=1;}


if ($ok==0)
{
Echo "Sorry your file was not uploaded, please try again with the correct format.";
}

//If everything is ok we try to upload it
else
{ 

// Connects to your Database
mysql_connect("localhost", "*******", "******") or die(mysql_error()) ;
mysql_select_db("project") or die(mysql_error()) ;

//Writes the information to the database
mysql_query("INSERT INTO dbProfile (nameMember,bandMember,photo,aboutMember,otherBands)
VALUES ('$name', '$bandMember', '$pic', '$about', '$bands')") ;

//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{

//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory<br/>";
print "<a class=\"blue\" href=\"createMember.php\">Add Another Record</a> | <a class=\"blue\" href=\"listMember.php\">Band Member Profiles and Affiliates Menu</a>";
}
else {

//Gives and error if its not
echo "<p>If you have uploaded a picture there may have been a problem uploading your file.</p>";
print "<a class=\"blue\" href=\"createMember.php\">Add Another Record</a> | <a class=\"blue\" href=\"listMember.php\">Band Member Profiles and Affiliates Menu</a>";
}
}
?> 

提前加油。 CHL

Answer 1

錯誤可能是以下if語句：

  if (!($uploaded_type =="image/jpeg"))
  {
    echo "JPEG<br>";$ok=1;
  }

因為每次上載不具有等於“ image / jpeg”的內容類型的圖像時，$ ok的值都為1，所以所有內容都會寫入數據庫。

但也請注意，由於用戶能夠偽造文件的MIME類型，因此僅檢查MIME類型會遇到麻煩。

例如，您可以使用Imagick獲取正確的圖像MIME類型。 在此處查看更多詳細信息： http : //de2.php.net/manual/en/function.imagick-identifyimage.php

編輯：剛注意到，$ uploaded_type不會在腳本中的任何地方初始化。 如我所說，您可以使用$ _FILES ['photo'] ['type']粗略估算MIME類型。