PHP file upload security guide: How to use the $_FILES array to obtain uploaded file information

PHP File Upload Security Guide: How to use the $_FILES array to obtain uploaded file information

Abstract:
File uploading is one of the common functions in web development. However, incorrect file upload implementation can lead to security vulnerabilities, bringing potential risks to the application. This article will introduce how to use PHP's $_FILES array to safely obtain uploaded file information, and combine it with some code examples to help readers better understand.

1. Set appropriate file upload restrictions
   In PHP, we can use the php.ini file to set file upload restrictions. The following are some common setting options:

   ; 允许上传的文件最大大小
   upload_max_filesize = 5M
   ; 允许同时上传的文件数量
   max_file_uploads = 20
   ; 允许上传的文件类型
   allowed_file_types = image/jpeg, image/png

   Through these settings, we can control the size, quantity, and type of uploaded files, thereby effectively preventing some potential security issues.

2. Use the $_FILES array to obtain uploaded file information
   In PHP, we can use the $_FILES array to obtain information about uploaded files. The $_FILES array is an associative array, its key name is the name of the input field in the file upload form, and the key value is an array containing information about the uploaded file.

The following is a basic usage example:

<form action="upload.php" method="POST" enctype="multipart/form-data">
  <input type="file" name="file" />
  <input type="submit" value="上传" />
</form>

In the PHP script for uploading files, we can get the information of the uploaded files like this:

$file = $_FILES['file'];
echo "文件名：" . $file['name'] . "<br />";
echo "文件类型：" . $file['type'] . "<br />";
echo "文件大小：" . $file['size'] . "字节 <br />";
echo "临时文件名：" . $file['tmp_name'] . "<br />";

Through $ _FILES array, we can easily obtain the name, type, size, temporary file name and other information of the uploaded file.

3. Security check of uploaded files
   In addition to obtaining information about uploaded files, we also need to perform some additional security checks. The following are some common security checking methods:

3.1 Check the MIME type of uploaded files

$allowed_mime_types = array('image/jpeg', 'image/png');
if (!in_array($file['type'], $allowed_mime_types)) {
  die("禁止上传该类型的文件");
}

By checking the MIME type of uploaded files, we can prevent users from uploading illegal file types .

3.2 Check the file extension

$allowed_extensions = array('jpg', 'png');
$extension = pathinfo($file['name'], PATHINFO_EXTENSION);
if (!in_array($extension, $allowed_extensions)) {
  die("禁止上传该扩展名的文件");
}

By checking the file extension, we can further ensure the legitimacy of the uploaded file.

3.3 Move the uploaded file to the specified directory

$target_directory = "uploads/";
$target_path = $target_directory . $file['name'];
if (move_uploaded_file($file['tmp_name'], $target_path)) {
  echo "文件上传成功";
} else {
  echo "文件上传失败";
}

While moving the uploaded file to the specified directory, we must also ensure that the target directory has appropriate permission settings to prevent malicious users from uploading malicious code document.

Conclusion:
By using the $_FILES array, combined with appropriate security checks, we can safely obtain relevant information about uploaded files, effectively preventing unwelcome security risks. Whether you are a new or experienced developer, you should keep file upload security in mind during development and follow best practice guidelines to protect the security of your application and user data.

Reference materials:

• PHP official documentation: http://php.net/manual/zh/reserved.variables.files.php

The above is the detailed content of PHP file upload security guide: How to use the $_FILES array to obtain uploaded file information. For more information, please follow other related articles on the PHP Chinese website!