問題描述
我在網上找到了一些示例,但我想從每天使用 PHP 的人那里獲得關于潛在安全或性能考慮因素及其解決方案的反饋.
I've found a few samples online but I'd like to get feedback from people who use PHP daily as to potential security or performance considerations and their solutions.
請注意,我只對一次上傳一個文件感興趣.
Note that I am only interested in uploading a single file at a time.
理想情況下不需要瀏覽器插件(Flash/Java),盡管了解使用插件的好處會很有趣.
Ideally no browser plugin would be required (Flash/Java), although it would be interesting to know the benefits of using a plugin.
我想知道最好的 HTML 表單代碼和 PHP 處理代碼.
I would like to know both the best HTML form code and PHP processing code.
推薦答案
文件上傳教程
HTML
<form enctype="multipart/form-data" action="action.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
<input name="userfile" type="file" />
<input type="submit" value="Go" />
</form>
action.php是將處理上傳的 PHP 文件的名稱(如下所示)MAX_FILE_SIZE必須出現在類型為file的輸入之前.這個值可以很容易地在客戶端上操作,所以不應該依賴.它的主要好處是在用戶上傳文件之前向用戶提供文件過大的早期警告.- 您可以使用
file類型更改輸入的名稱,但請確保它不包含任何空格.您還必須更新 PHP 文件中的相應值(如下). action.phpis the name of a PHP file that will process the upload (shown below)MAX_FILE_SIZEmust appear immediately before the input with typefile. This value can easily be manipulated on the client so should not be relied upon. Its main benefit is to provide the user with early warning that their file is too large, before they've uploaded it.- You can change the name of the input with type
file, but make sure it doesn't contain any spaces. You must also update the corresponding value in the PHP file (below).
<?php
$uploaddir = "/www/uploads/";
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "Success.
";
} else {
echo "Failure.
";
}
echo 'Here is some more debugging info:';
print_r($_FILES);
print "</pre>";
?>
The upload-to folder should not be located in a place that's accessible via HTTP, otherwise it would be possible to upload a PHP script and execute it upon the server.upload-to 文件夾不應位于可通過 HTTP 訪問的位置,否則可能上傳 PHP 腳本并在服務器上執行.
Printing the value of $_FILES can give a hint as to what's going on. For example:
打印$_FILES 的值可以提示發生了什么.例如:
Array ( [userfile] => Array ( [name] => Filename.ext [type] => [tmp_name] => [error] => 2 [size] => 0 ) )
這個結構提供了一些關于文件名、MIME 類型、大小和錯誤代碼的信息.
This structure gives some information as to the file's name, MIME type, size and error code.
0 表示沒有錯誤,文件上傳成功
1 表示文件超過了 php.ini 中定義的最大文件大小.如果您想更改最大文件大小,您需要打開您的 php.ini 文件,確定讀取的行:upload_max_filesize = 2M 并將值從 2M (2MB) 更改為您需要的任何值
2 表示已超出頁面腳本中手動定義的最大文件大小
3 表示文件只上傳了部分
4 表示沒有指定文件(空文件字段)
5 尚未定義
6 表示沒有臨時文件夾
7 表示文件無法寫入磁盤
0 Indicates that there was no errors and file has been uploaded successfully
1 Indicates that the file exceeds the maximum file size defined in php.ini. If you would like to change the maximum file size, you need to open your php.ini file, identify the line which reads: upload_max_filesize = 2M and change the value from 2M (2MB) to whatever you need
2 Indicates that the maximum file size defined manually, within an on page script has been exceeded
3 Indicates that file has only been uploaded partially
4 Indicates that the file hasn't been specified (empty file field)
5 Not defined yet
6 Indicates that there′s no temporary folder
7 Indicates that the file cannot be written to the disk
php.ini 配置
使用較大的文件運行此設置時,您可能會收到錯誤消息.檢查您的 php.ini 文件中的這些鍵:
php.ini Configuration
When running this setup with larger files you may receive errors. Check your php.ini file for these keys:
max_execution_time = 30upload_max_filesize = 2M
適當增加這些值可能會有所幫助.使用 Apache 時,對此文件的更改需要重新啟動.
Increasing these values as appropriate may help. When using Apache, changes to this file require a restart.
最大內存允許值(通過 memory_limit 設置)在此處不起作用,因為文件在上傳時寫入 tmp 目錄.tmp 目錄的位置可以通過 upload_tmp_dir 控制.
The maximum memory permitted value (set via memory_limit) does not play a role here as the file is written to the tmp directory as it is uploaded. The location of the tmp directory is optionally controlled via upload_tmp_dir.
您應該檢查用戶上傳的文件類型 - 最佳做法是根據允許的文件類型列表進行驗證.允許任何文件的潛在風險是用戶可能將 PHP 代碼上傳到服務器然后運行它.
You should check the filetype of what the user is uploading - the best practice is to validate against a list of allowed filetypes. A potential risk of allowing any file is that a user could potentially upload PHP code to the server and then run it.
您可以使用非常有用的fileinfo 擴展(取代舊的 mime_content_type 函數)來驗證 MIME 類型.
You can use the very useful fileinfo extension (that supersedes the older mime_content_type function) to validate mime-types.
// FILEINFO_MIME set to return MIME types, will return string of info otherwise
$fileinfo = new finfo(FILEINFO_MIME);
$file = $fileinfo->file($_FILE['filename']);
$allowed_types = array('image/jpeg', 'image/png');
if(!in_array($file, $allowed_types))
{
die('Files of type' . $file . ' are not allowed to be uploaded.');
}
// Continue
更多信息
您可以在 PHP.net 手冊中閱讀有關處理文件上傳的更多信息.
//For those who are using PHP 5.3, the code varies.
$fileinfo = new finfo(FILEINFO_MIME_TYPE);
$file = $fileinfo->file($_FILE['filename']['tmp_name']);
$allowed_types = array('image/jpeg', 'image/png');
if(!in_array($file, $allowed_types))
{
die('Files of type' . $file . ' are not allowed to be uploaded.');
}
// Continue
更多信息
您可以在 PHP.net 文檔中閱讀有關 FILEINFO_MIME_TYPE 的更多信息.
More Information
You can read more on FILEINFO_MIME_TYPE at the PHP.net documentation.
這篇關于使用 PHP 創建單文件上傳表單的最佳方法是什么?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!