如何保護php圖片上傳系統

Question

我想用php製作圖片上傳系統，我希望用戶只能上傳 png，jpg文件，而不是病毒或其他文件。我怎樣才能做到這一點？

Answer 1

步驟1：檢查擴展（擴展文件結尾）

步驟2：檢查MIME類型（$ FILE_INFO =和getimagesize（$ _ FILES [ 'IMAGE_FILE']; $ file_mime = $ FILE_INFO [ 'MIME' ]）

只允許您要上傳的那些圖像擴展名，就可以使白名單

嘗試像

$whitelist = array(".jpeg",".jpg",".png"); 
foreach ($whitelist as $item) 
    { 


     if(preg_match("/$item\$/i", $_FILES['uploadfile']['name'])) 
       { 
        $uploaddir='uploads/uploads_image/'; 
        $uploadfilename=mysql_prep(basename($_FILES['uploadfile']['name'])); 
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB); 
        $iv= mcrypt_create_iv($iv_size,MCRYPT_DEV_RANDOM); 
        $newname= mcrypt_encrypt(MCRYPT_RIJNDAEL_256, "this is the key",$uploadfilename.time(), MCRYPT_MODE_ECB, $iv); 
        $newfilename= (bin2hex($newname)); 
        $uploadfile=$uploaddir.$newfilename.".png"; 
        $access=true; 
       } 
    } 

可以阿爾斯O模塊的用戶的IP，如果用戶試圖通過使黑名單

foreach ($blacklist as $item) 
    { 
     if(preg_match("/$item\$/i", $_FILES['uploadfile']['name'])) 
      { 
       $network = ip2long("10.12.0.0"); 
       $mask = ip2long("255.255.0.0"); 
       $ip = ip2long($_SERVER{'REMOTE_HOST'}); 
       if (($network & $mask) == ($ip & $mask)) { 
        die("Unauthorized"); 
       } 
      } 


    } 

Answer 2

($_FILES["file"]["type"] == "image/png") 

有關此click here

Answer 3

1st check:- 
//check if contain php and kill it 
$pos = strpos($filename,'php'); 
if(!($pos === false)) { 
    die('error'); 
} 

2nd check:- 
//get the file ext 
$file_ext = strrchr($filename, '.'); 
$image_list = array(".jpg",".jpeg",".gif",".png"); 
if (!(in_array($file_ext, $image_list))) { 
     die('not allowed extension,please upload images only'); 
} 


3rd check:-  
$fileType = $_FILES["uploaded_file"]["type==image/jpeg || image/gif || image/png"]; 

4th check:-  
preg_match("/.(gif|jpg|png)$/i", $fileName); 

hope these checks solve your problem....