发表新帖
发表新帖

File upload issues in PHP

后端 未结
关注
3 1734
攒了一身酷
攒了一身酷 2021-01-24 07:05

Hi i\'m trying to upload an image using a php script. And whats really weird is i get the following error only in Internet Explorer everywhere else script works fine:
相关标签:
3条回答
  • 庸人自扰
    2021-01-24 07:25 
    if($_FILES['image']['type'] == 'image/jpeg'){

    Never rely on the MIME type submitted by the browser.

    In this case your problem is as david alluded to: IE usually (wrongly) supplies image/pjpeg for JPEGs, so you're detecting an unknown filetype and setting $error to Error: The image could not be uploaded. It must be in .jpg, .jpeg or .gif format.... but then despite that you still try to move the file anyway, despite not having set $small or $large.

    But more than that, the browser-submitted type is likely to be completely wrong. You can't trust the uploaded filename or media type to be appropriate, so don't even bother check them. Instead, look at $imgsize[2] after your call to getimagesize to find out what type PHP thinks the image is.

    And... if you are accepting image uploads from general users, you've got a security problem. It's perfectly possible to create a valid GIF (or other filetype) that contains HTML tags. Then when bloody-stupid-IE comes along to access the GIF as a page on its own it'll detect the HTML tags, decide the Content-Type you told it must be wrong, and interpret it as an HTML page instead, including any JavaScript in there, which then executes in your site's security context.

    If you have to allow file uploads from an untrusted source and you're not processing the images yourself (which would usually have the side-effect of removing unwanted HTML), you generally have to serve your images from a different hostname to avoid them scripting into your site.

    0 讨论(0)
  • 梦如初夏
    2021-01-24 07:26 
    if($FILES['image']['type'] == 'image/jpeg'){

    Variable that holds file upload data should be $_FILES. Since $FILES is an empty (just used) variable, your $large variable is also empty so you're moving a file to the pictures/ which is a directory, just like PHP told you. Your $error should also contain the error message since none of the ifs before it is true.

    One way of avoiding errors like this is to develop with error_reporting set to E_ALL that would have displayed a notice that your $FILES variable (a typo) is undefined.

    0 讨论(0)
  • 南旧
    2021-01-24 07:35

    You can't move a directory, because $large has no value, or is reset.

    0 讨论(0)
 看不清?
提交回复
热议问题