User upload problem
i am trying to write a user_upload() function and it works but the image mime type files do not upload but the html files do upload. how can i fix it in this script?
function user_upload()
{
$target_path = "uploads/".$_SESSION['username']."/";
$client_ID = mysql_query("SELECT 'client_ID'
FROM 'clients'
WHERE username='".$_SESSION['username']."'");
if(!empty($_FILES)){
// Add the original filename to our target path.
开发者_如何学C // Result is "uploads/filename.extension"
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if((!$_FILES["uploadedfile"]["type"] == "image/gif")
||(!$_FILES["uploadedfile"]["type"] == "image/png")
||(!$_FILES["uploadedfile"]["type"] == "image/jpeg") // "jpeg" for Firefox
||(!$_FILES["uploadedfile"]["type"] == "image/pjpeg") // "jpeg" for IE
||(!$_FILES["uploadedfile"]["type"] == "text/css")
||(!$_FILES["uploadedfile"]["type"] == "text/html")
||(!$_FILES["uploadedfile"]["type"] == "text/javascript")
||(!$_FILES["uploadedfile"]["type"] == "application/msword")
||(!$_FILES["uploadedfile"]["type"] == "application/pdf")
&&(!$_FILES["file"]["size"] < 1000000)){
echo "The file is not of the right type or size. It should be a
.gif, .png, .jpeg/.jpg, .css, .html, .javascript, .doc, or .pdf and under 1 billion kb.";
echo "If you need to send me a file different from these specification, feel free to
email it to me at exaple@support.com. These specifications are for the website's safety.";
}else{
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
mysql_query("INSERT INTO uploads(ID, URL) VALUES ('$client_ID', '$target_path')");
} else{
echo "There was an error uploading the file, please try again!";
}
}
}
}
The if-staement is wrong. Make it if (((type == png) || (type == gif)) && (size < 1 billion kb)) ... instead the !type == png ....
I don't normally do full code audits like this but here are some issue I see with your code. Some are possibly related to the question, some are are other issue I see.
The line if(!empty($_FILES)){ should be if(isset($_FILES['uploadedfile'])){. This is because if someone uploads a file with a different name in the file input your code will still run, throwing multiple errors.
I am uncomfortable with this line:
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
I am 95% positive that basename will make this safe, but I would feel much better if there was a regular expression that white listed the characters that are allowed in the basename. For example:
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
// allow only target paths in the form abc123.ext only
if (!preg_match('/^[a-z0-9 -]+\.[a-z0-9]+$/i', $target_path) {
// invalid data, handle error
}
I have two comments on the if statement on the type.
First use in_array, it will make the code much easier to read and maintain.
Second, there is an error in the if statement the last || is tied to the && for the size. This is due to the order of operations. You have something like this a || (b && c) when you want (a || b) && c.
Taking both of these comments I would write your if statemnet as follows.
$allowed_types = array("image/gif", "image/png", "image/jpeg", "image/pjpeg", "text/css", "text/html", "text/javascript", "application/msword", "application/pdf");
if(!in_array($_FILES["uploadedfile"]["type"], $allowed_types) || $_FILES["file"]["size"] >= 1000000) {
The last thing I would like to mention about your code if the possibity of sql injection. If you use the regular expression above should make the input safe, but because I believe over doing security is never a bad thing I would use mysql_real_escape_string to further sanitize the $target_path variable. Like below:
$target_path = mysql_real_escape_string($target_path);
mysql_query("INSERT INTO uploads(ID, URL) VALUES ('$client_ID', '$target_path')");
I don't know if this will fix any of your problems but these are issues that do need to be fixed in the code and may help in debugging why your code doesn't work.
加载中,请稍侯......
精彩评论