doujiu1447
2016-11-17 16:07
浏览 50
已采纳

限制“.php”文件上传

I am making basic photo hosting, just to upload images and resize them.

Everything works fine, I also have added accept="image/*" for my File upload button, but it is still possible to upload other files. So in my PHP code I check whether it is image or other file, so if it is not image, I basically remove it. But I have a problem. If user uploads "index.php" file, my index file on server will be overwritten and as my code should do, it removes "index.php" so. basically self destruction.

Is there way to restrict file upload before file is actually uploaded on server?

Or at least, is there way to change root directory of file that is uploaded?

I don't think that JavaScript or HTML restriction will do anything, because "hackermans" can change it easily in inspect element.

图片转代码服务由CSDN问答提供 功能建议

我正在制作基本的照片托管,只是为了上传图片并调整大小。

一切正常,我还为我的文件上传按钮添加了 accept =“image / *”,但仍然可以上传其他文件。 所以在我的PHP代码中我检查它是图像还是其他文件,所以如果它不是图像,我基本上删除它。 但我有一个问题。 如果用户上传“index.php”文件,我的服务器上的索引文件将被覆盖,而我的代码应该这样做,它会删除“index.php”。 基本上是自我毁灭

文件实际上传到服务器上之前,有没有办法限制文件上传

或者至少,是否有 改变上传文件根目录的方法?

我不认为JavaScript或HTML限制会做任何事情,因为“hackermans”可以在inspect元素中轻松改变它。

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 邀请回答

1条回答 默认 最新

  • dqyuipw44576 2016-11-17 16:18
    最佳回答
    class Upload {
    
    private $destinationPath;
    private $errorMessage;
    private $extensions;
    private $allowAll;
    private $maxSize;
    private $uploadName;
    private $seqnence;
    private $imageSeq;
    public $name = 'Uploader';
    public $useTable = false;
    
    function setDir($path) {
        $this->destinationPath = $path;
        $this->allowAll = false;
    }
    
    function allowAllFormats() {
        $this->allowAll = true;
    }
    
    function setMaxSize($sizeMB) {
        $this->maxSize = $sizeMB * (1024 * 1024);
    }
    
    function setExtensions($options) {
        $this->extensions = $options;
    }
    
    function setSameFileName() {
        $this->sameFileName = true;
        $this->sameName = true;
    }
    
    function getExtension($string) {
        $ext = "";
        try {
            $parts = explode(".", $string);
            $ext = strtolower($parts[count($parts) - 1]);
        } catch (Exception $c) {
            $ext = "";
        }
        return $ext;
    }
    
    function setMessage($message) {
        $this->errorMessage = $message;
    }
    
    function getMessage() {
        return $this->errorMessage;
    }
    
    function getUploadName() {
        return $this->uploadName;
    }
    
    function setSequence($seq) {
        $this->imageSeq = $seq;
    }
    
    function getRandom() {
        return strtotime(date('Y-m-d H:i:s')) . rand(1111, 9999) . rand(11, 99) . rand(111, 999);
    }
    
    function sameName($true) {
        $this->sameName = $true;
    }
    
    function uploadFile($fileBrowse) {
        $result = false;
        $size = $_FILES[$fileBrowse]["size"];
        $name = $_FILES[$fileBrowse]["name"];
        $ext = $this->getExtension($name);
        if (!is_dir($this->destinationPath)) {
            $this->setMessage("Destination folder is not a directory ");
        } else if (!is_writable($this->destinationPath)) {
            $this->setMessage("Destination is not writable !");
        } else if (empty($name)) {
            $this->setMessage("File not selected ");
        } else if ($size > $this->maxSize) {
            $this->setMessage("Too large file !");
        } else if ($this->allowAll || (!$this->allowAll && in_array($ext, $this->extensions))) {
    
            if ($this->sameName == false) {
                $this->uploadName = $this->imageSeq . "-" . substr(md5(rand(1111, 9999)), 0, 8) . $this->getRandom() . rand(1111, 1000) . rand(99, 9999) . "." . $ext;
            } else {
                $this->uploadName = $name;
            }
            if (move_uploaded_file($_FILES[$fileBrowse]["tmp_name"], $this->destinationPath . $this->uploadName)) {
                $result = true;
            } else {
                $this->setMessage("Upload failed , try later !");
            }
        } else {
            $this->setMessage("Invalid file format !");
        }
        return $result;
    }
    
    function deleteUploaded() {
        unlink($this->destinationPath . $this->uploadName);
    }
    

    }

    How to use it :

    function callMe(){
                    $uploader   =   new Upload();
                    $directory = "NAMEDIR"
                    if(!is_dir($directory)){
                        mkdir($directory);
                    }
                    $uploader->setDir($directory);
                    $uploader->setExtensions(array('jpg','jpeg','png','gif'));  //allowed extensions list//
                    $uploader->setMaxSize(.5);                          //set max file size to be allowed in MB//
                    $uploader->sameName(true);
                    if($uploader->uploadFile('file')){   //txtFile is the filebrowse element name //     
                        $image  =   $uploader->getUploadName(); //get uploaded file name, renames on upload//
    
                        echo json_encode(array("success"=>true,"message"=>"Success Add","image"=>$directory.$image,"image_upload"=>$image));
    
                    }else{//upload failed
                        echo json_encode(array("success"=>false,"message"=>$uploader->getMessage(),"image"=>""));
                    }
                }
                callMe();
    
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题