dongpeiwei8589 2013-11-22 20:44
浏览 43
已采纳

上传mp3,doc,ppt,sql,zip,tar,rar文件

I want to give my users the freedom to upload all types of files in my online storage site. I only know how to upload image files such as these:

//other code   
 $_FILES["file"]["type"] == "image/jpeg"
 $_FILES["file"]["type"] == "image/jpg"
 $_FILES["file"]["type"] == "image/pjpeg"
 $_FILES["file"]["type"] == "image/x-png"
 $_FILES["file"]["type"] == "image/png"
//other code

using the ebove code I can upload the given extention files to my site. But I want to upload .mp3 .doc .ppt .docx . pptx .sql and many more possible files. To do that, what should I put in the "question mark" below: 

 $_FILES["file"]["type"] == ?          // for mp3
 $_FILES["file"]["type"] == ?          // for doc/docx
 $_FILES["file"]["type"] == ?          // for ppt/pptx 
 $_FILES["file"]["type"] == ?          // for sql
 $_FILES["file"]["type"] == ?          // for zip/tar/rar

please , tell me if there is any list of all extensions of file and what should I write to upload the asked files?

---Thanks.

  • 写回答

2条回答 默认 最新

  • douniao7308 2013-11-22 22:14
    关注

    The MIME Type provided in $_FILE['file']['type'] is a information given by the client side and can be falsified. Don't trust it. It can also vary from a machine to another, as you saw yourself there isn't a single MIME description to each extension, so it can be very frustrating to rely on it to take any kind of decision.

    Someone can send you a music.php and say its a audio/mp3, save it in your website folder and you have just given them means to compromise your entire server. Don't do it.

    Instead, use the file extension to determine it's type. You can also list all allowed extensions in an array and just check if the file extension exists in this array.

    $allowed_extensions = array(
    'mp3', 'mp4', 'doc', 'zip', 'rar',
    'docx', 'ppt', 'pps', 'pptx' // ...
);
if (!in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $allowed_extensions))
    die("You can't upload this.");

    Or, you can instead prohibit dangerous file extensions and allow everything else, what would be easier to do considering you want to allow "any type of file".

    $disallowed_extensions = array('exe', 'scr', 'cpl', 'bat', 'php', 'htaccess');
if (in_array(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION), $disallowed_extensions))
    die("You can't upload this.");

    Careful with the file name too. The file name provided in $_FILES['file']['name'] should be just the file base name, but once again this information is provided by the user and can be including full or relative paths to make your script save it where it shouldn't. Always use basename($_FILES['file']['name']) to make sure you are using the file base name when saving the file.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?