PHP文件验证使用if语句上传

StackOverflow https://stackoverflow.com/questions/516810

您好我很新的PHP的,但我一直在关注一些教程,但他们似乎没有工作,所以我试图去适应他们。  我已经测试此代码,它的工作原理到一个点,但那里有别的东西,我可以不在身边让我的头,PHP文件没有上传(罚款),但虽然$确定被斯波西的细节仍在writen到datbase被设置为0(不正常)。这可能是如果解释什么是精神疾病发生在这里更容易:

- 用户可以上传GIF或JPEG文件。详细信息添加到数据库。 - 用户可以上传任何文件作为默认将被使用。详细信息添加到数据库。 - 用户的不应该能够上传任何其他文件。没有记录应当对数据库,用户应该再次尝试。

到目前为止我的代码:

<?php

//This is the directory where images will be saved
$target = "images/";
$target = $target . basename( $_FILES['photo']['name']);
$ok=0; 


//This gets all the other information from the form
$name= mysql_real_escape_string ($_POST['nameMember']);
$bandMember= mysql_real_escape_string ($_POST['bandMember']);
$pic= mysql_real_escape_string ($_FILES['photo']['name']);
$about= mysql_real_escape_string ($_POST['aboutMember']);
$bands= mysql_real_escape_string ($_POST['otherBands']);

$uploaded_size=$_FILES['photo']['file_size']; 
if ($uploaded_size > 350000)
{
echo "Your file is too large, 35Kb is the largest file you can upload.<br>";
$ok=0;
} 
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
} 

if (!($uploaded_type =="image/jpeg"))
{
echo "JPEG<br>";$ok=1;
} 

if ($uploaded_type =="image/gif")
{
echo "GIf<br>";$ok=1;
} 

if (empty($pic)){
echo "You haven't uploaded a photo, a default will be used instead.<br/>";$ok=1;}


if ($ok==0)
{
Echo "Sorry your file was not uploaded, please try again with the correct format.";
}

//If everything is ok we try to upload it
else
{ 

// Connects to your Database
mysql_connect("localhost", "*******", "******") or die(mysql_error()) ;
mysql_select_db("project") or die(mysql_error()) ;

//Writes the information to the database
mysql_query("INSERT INTO dbProfile (nameMember,bandMember,photo,aboutMember,otherBands)
VALUES ('$name', '$bandMember', '$pic', '$about', '$bands')") ;

//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{

//Tells you if its all ok
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory<br/>";
print "<a class=\"blue\" href=\"createMember.php\">Add Another Record</a> | <a class=\"blue\" href=\"listMember.php\">Band Member Profiles and Affiliates Menu</a>";
}
else {

//Gives and error if its not
echo "<p>If you have uploaded a picture there may have been a problem uploading your file.</p>";
print "<a class=\"blue\" href=\"createMember.php\">Add Another Record</a> | <a class=\"blue\" href=\"listMember.php\">Band Member Profiles and Affiliates Menu</a>";
}
}
?>

预先干杯。 CHL

有帮助吗?

解决方案

该错误可能是这个if语句:

  if (!($uploaded_type =="image/jpeg"))
  {
    echo "JPEG<br>";$ok=1;
  }

由于每次上传不具有等于“图像/ JPEG”的内容类型的图像时,$确定结果为1,所以一切都被写入到数据库中。

但也注意到,这只是检查MIME类型这样可以让你陷入困境,因为用户能够伪造的MIME类型的文件。

您可以使用Imagick以获得正确的图像的MIME类型,例如。在这里看到更多的细节: http://de2.php.net/manual /en/function.imagick-identifyimage.php

编辑:刚才注意到,该$ uploaded_type不会随时随地脚本初始化。正如我所说的,则可以通过使用$ _FILES做MIME类型的粗略估计[“相片”] [“类型”]。

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top