dongpeiwei8589 2013-11-22 20:44
浏览 43
已采纳

上传mp3,doc,ppt,sql,zip,tar,rar文件

I want to give my users the freedom to upload all types of files in my online storage site. I only know how to upload image files such as these:

//other code   
 $_FILES["file"]["type"] == "image/jpeg"
 $_FILES["file"]["type"] == "image/jpg"
 $_FILES["file"]["type"] == "image/pjpeg"
 $_FILES["file"]["type"] == "image/x-png"
 $_FILES["file"]["type"] == "image/png"
//other code

using the ebove code I can upload the given extention files to my site. But I want to upload .mp3 .doc .ppt .docx . pptx .sql and many more possible files. To do that, what should I put in the "question mark" below: 

 $_FILES["file"]["type"] == ?          // for mp3
 $_FILES["file"]["type"] == ?          // for doc/docx
 $_FILES["file"]["type"] == ?          // for ppt/pptx 
 $_FILES["file"]["type"] == ?          // for sql
 $_FILES["file"]["type"] == ?          // for zip/tar/rar

please , tell me if there is any list of all extensions of file and what should I write to upload the asked files?

---Thanks.

  • 写回答

2条回答 默认 最新

  • douniao7308 2013-11-22 22:14
    关注

    The MIME Type provided in $_FILE['file']['type'] is a information given by the client side and can be falsified. Don't trust it. It can also vary from a machine to another, as you saw yourself there isn't a single MIME description to each extension, so it can be very frustrating to rely on it to take any kind of decision.

    Someone can send you a music.php and say its a audio/mp3, save it in your website folder and you have just given them means to compromise your entire server. Don't do it.

    Instead, use the file extension to determine it's type. You can also list all allowed extensions in an array and just check if the file extension exists in this array.

    $allowed_extensions = array(
    'mp3', 'mp4', 'doc', 'zip', 'rar',
    'docx', 'ppt', 'pps', 'pptx' // ...
);
if (!in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $allowed_extensions))
    die("You can't upload this.");

    Or, you can instead prohibit dangerous file extensions and allow everything else, what would be easier to do considering you want to allow "any type of file".

    $disallowed_extensions = array('exe', 'scr', 'cpl', 'bat', 'php', 'htaccess');
if (in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $disallowed_extensions))
    die("You can't upload this.");

    Careful with the file name too. The file name provided in $_FILES['file']['name'] should be just the file base name, but once again this information is provided by the user and can be including full or relative paths to make your script save it where it shouldn't. Always use basename($_FILES['file']['name']) to make sure you are using the file base name when saving the file.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 腾讯企业邮箱邮件可以恢复么
  • ¥15 有人知道怎么将自己的迁移策略布到edgecloudsim上使用吗?
  • ¥15 错误 LNK2001 无法解析的外部符号
  • ¥50 安装pyaudiokits失败
  • ¥15 计组这些题应该咋做呀
  • ¥60 更换迈创SOL6M4AE卡的时候,驱动要重新装才能使用,怎么解决?
  • ¥15 让node服务器有自动加载文件的功能
  • ¥15 jmeter脚本回放有的是对的有的是错的
  • ¥15 r语言蛋白组学相关问题
  • ¥15 Python时间序列如何拟合疏系数模型