首先,關於文件上傳的一般注意事項:type
和name
密鑰是不安全的。這是因爲它們是由客戶定義的,它們是將惡意代碼注入到您的網站的潛在機制。考慮如果我將文件名設置爲../../../../../index.php
,或者如果我將MIME類型設置爲image/gif
,但是上傳了PHP文件,會發生什麼情況?
接下來,具體說明圖片上傳的重要提示:您不能相信客戶端上傳的圖片數據。也可以將惡意代碼嵌入看起來像圖像一樣的東西。您需要將像素數據從文件中複製出來並創建一個新的。這通常用GD擴展來完成。
接下來,在mkdir()
- 它有第三個參數,如果您將true
傳遞給第三個參數,它會遞歸地創建目錄樹,因此您不需要在單獨的操作中創建每個級別。另外請注意(很多事情)mkdir()
可能會失敗,如果發生這種情況,它將返回false
,你應該檢查這個。
現在,爲了回答這個問題,實際(和暫時忽略上述安全問題),這裏是我將如何簡化代碼:
// Configuration
$allowedTypes = array(
"image/gif", "image/jpeg", "image/png", "image/pjpeg"
);
$baseDir = './uploads';
// Check file was uploaded successfully
if ($_FILES['image_name']['error'] > 0) {
exit('Return Code: ' . $_FILES['image_name']['error'] . '<br />');
}
// Check file type
if (!in_array($_FILES["image_name"]["type"], $allowedTypes)) {
exit('Invalid file type: ' . $_FILES['image_name']['type'] . '<br />');
}
// Check/create target directory
list($year, $month, $day) = explode('-', date('y-m-d'));
$targetDir = $baseDir . '/' . $year . '/' . $month . '/' . $day;
if (!is_dir($targetDir)) {
if (!mkdir($targetDir, 0644, true)) {
exit('Failed to create destination directory<br />');
}
}
// Store the uploaded file permanently
$targetPath = $targetDir . '/' . .$_FILES['image_name']['name'];
if (!move_uploaded_file($_FILES['image_name']['tmp_name'], $targetPath)) {
exit('Failed to move temporary file<br />');
}
不過,我不會這麼做。
文件上傳是一個非常普遍的任務,我使用的通用代碼看起來像this。看起來很複雜不是嗎?那是因爲處理文件上傳並不簡單。然而,這種複雜性提供了一個很好的直接方式來解決上面列出的安全問題。它內置了對圖像的支持,包括用乾淨簡單的方式調整大小的選項。
讓我們來看看我們如何可以在你的代碼中使用它:
$baseDir = './uploads';
// Very simple autoloader for demo purposes
spl_autoload_register(function($class) {
require strtolower(basename($class)).'.php';
});
// When you instantiate this the $_FILES superglobal is destroyed
// You must access all uploaded files via this API from this point onwards
$uploadManager = new \Upload\Manager;
// Fetches a FileCollection associated with the named form control
$control = $uploadManager->getControl('image_name');
// getControl returns NULL if there are no files associated with that name
if (!isset($control)) {
exit('No file was uploaded in the image_name control');
}
// Check/create target directory
// You still need to do this, it's not magic ;-)
list($year, $month, $day) = explode('-', date('y-m-d'));
$targetDir = $baseDir . '/' . $year . '/' . $month . '/' . $day;
if (!is_dir($targetDir)) {
if (!mkdir($targetDir, 0644, true)) {
exit('Failed to create destination directory');
}
}
// This also handles multiple uploads in a single control, so we need to loop
foreach ($control as $image) {
// You need to determine a file name to use, most likely not from user
// input. This is a high-entropy low collision-risk random approach.
$targetFile = $targetDir . '/' . uniquid('upload-', true);
try {
$image->save($targetFile, true, IMAGETYPE_ORIGINAL);
} catch (\Exception $e) {
exit("Oh noes! Something went badly wrong: ".$e->getMessage());
}
}
這做了很多事情的背景來解決安全問題我在前面列出。它會自動檢測到圖像是有效的,識別的類型,並將正確的文件擴展名應用於保存的文件。
請使用換行符來提高可讀性。 – deceze 2013-03-15 13:23:35
出於好奇你有沒有試過'$ target_path ='。/ uploads /'.$ year。'/'。$ month。'/'。$ date。'/'。$ _ FILES [「image_name」] [「name」 ];'? – 2013-03-15 13:24:09
對不起,我這裏是新的 – User 2013-03-15 13:24:23