When this form is submitted, the http request will be sent to upload.php. To show exactly what information is available in upload.php, I print it out in upload.php:
Let’s do an experiment below. If I Use the above form to upload a logo of this blog to my local server www.360weboy.me/upload.php and see what information will be output in upload.php:
The above is all the information about the currently uploaded file in the global array after the file is uploaded. However, can we guarantee that this information is safe? What if the name or other information has been tampered with? We always need to be vigilant about information from clients!
Parts of the specific http request In order to better understand file upload, we must check what specific information is included in the http request sent by the client. The attachment I uploaded earlier is the logo of this blog. Because it is a picture, it is not suitable for us to do the above experiment. So, I re-uploaded a test.text text file, which specifically contains the following content:
Life Of A Web Boy ------------- ----------------24464570528145--
There are several fields in the above request format that we need to pay attention to, namely name, filename and Content-Type. They respectively represent the field name of the upload file box in the form - attachment, the name of the file uploaded by the user from the local hard disk - test.txt, and the uploaded file format - text/plain (representing a text file). Then, we see a blank line below, which is the specific content of the uploaded file.
2. Security enhancement In order to enhance the security in file upload, we need to check the tmp_name and size in the $_FILES global array. In order to ensure that the file pointed by tmp_name is indeed the file that the user just uploaded on the client, rather than pointing to something like /etc/passwd, you can use the function is_uploaded_file() in PHP to make a judgment:
if (is_uploaded_file($filename)) { /* Is an uploaded file. */ }
In some cases, after the user uploads the file, it may The content of the successfully uploaded file will be displayed to the user, so checking the above code is particularly important.
Another thing that needs to be checked is the mime-type of the uploaded file, which is the type field of the output array in upload.php mentioned above. What I uploaded in the first example is an image, so the value of $_FILES['attachment']['type'] is 'image/jpeg'. If you plan to only accept mime-type images such as image/png, image/jpeg, image/gif, image/x-png and image/p-jpeg on the server side, you can use code similar to the following to check (just give an example Examples, specific codes, such as error reporting, etc., should follow the mechanism in your system):
As you can see, we have ensured that the mime-type of the file meets the server-side requirements. However, it is not enough to prevent malicious users from uploading other harmful files, because this mime-type malicious user can be disguised. For example, the user made a jpg picture, wrote some malicious php code in the metadata of the picture, and then saved it as a file with the suffix php. When this malicious file is uploaded, it will successfully pass the server-side mime-type check and be considered an image, and the dangerous PHP code inside will be executed. The specific image metadata is similar to the following:
File name : image.jpg File size : 182007 bytes File date : 2012:11:27 7:45:10 Resolution : 1197 x 478 Comment : passthru($_POST['cmd ']); __halt_compiler();
We can see that php code has been added to the Comment field of the image metadata. Therefore, it is obvious that in order to prevent similar dangerous situations from happening, a necessary check must be performed on the extension of the uploaded file. The following code enhances the previous code for checking Mime-type:
if(!array_key_exists($image['type'], $allow_mimes )) { die('Sorry, you uploaded it The file format is not accurate; we only accept image files.'); , 0, strrpos($image['name'], '.'));
🎜> // Continue processing the uploaded file
Through the above code, we ensure that even if the meta file of the uploaded image contains php code, the image file will be renamed with the suffix File named image format, so the php code in it will not be executed. The above code will not have any negative impact on normal uploaded images.
After performing the above steps to improve security, if you just want to save the uploaded file to a specified directory, you can use PHP's default function move_uploaded_file to achieve this:
$temp_filename saved in the temporary directory Upload the file, and then successfully save it to the attachment.txt file in the corresponding directory. */
The filesize function is used to obtain the size of the uploaded file, and further processing is performed after judgment. This is not detailed here, so you can figure it out yourself.
Okay, let’s stop writing about file upload here for now. I hope this introductory article has been helpful to you.
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn