In-depth introduction to PHP File Upload

Source: Internet
Author: User
Tags php file upload
As a special form data, php generates a $ _ FILES Global Array when the file is submitted to the server through the httppost request, the related file information is stored in this global array. In this article, I will use some sample code to describe how to upload files in php. I will also take a closer look at the internal implementation mechanism of file upload.

As a special form data, php generates a $ _ FILES Global Array when the file is submitted to the server through an http post request, the related file information is stored in this global array. In this article, I will use some sample code to describe how to upload files in php. I will also take a closer look at the internal implementation mechanism of file upload.

As a special form data, php generates a $ _ FILES Global Array when the file is submitted to the server through an http post request, the related file information is stored in this global array. In this article, I will use some sample code to describe how to upload files in php. I will also go into the implementation mechanism of File Upload. Finally, I will briefly describe how to enhance the security of file upload!

File Upload

To allow client users to upload files, we must provide a form on the user interface to submit the File Upload request. Because the uploaded file is a special type of data, unlike other post data, we must set a special encoding for the form:

 

Tip: You can use upload_max_filesize in php. ini to set the maximum value allowed to upload files. In addition, there is also a post_max_size parameter that can be used to set the maximum form data that can be uploaded, specifically the sum of various data in the form, so you can also set this field to control the maximum value of the uploaded file. However, note that the value of the latter must be greater than that of the former, because the former is part of the form data of the latter.

. Upload form displayed in firefox

When this form is submitted, the http request is sent to upload. php. To show which information can be used in upload. php, I printed it in upload. php:

 

Let's do a test. If I upload a blog logo to my local server www.360weboy. me/upload. php through the above form, let's see what information will be output in upload. php:

Array(    [attachment] => Array        (            [name] => boy.jpg            [type] => image/jpeg            [tmp_name] => D:\xampp\tmp\php1168.tmp            [error] => 0            [size] => 11490        ))

The above is all information about the currently uploaded file in the Global Array after the file is uploaded. However, can we ensure that the information is secure? If the name or other information has been tampered? We always need to be cautious with the information from the client!

Specific http request parts

To better understand file upload, we must check the specific information contained in the http request sent by the client. The attachment I uploaded previously is the logo of this blog. Because it is an image, it is not suitable for us to do the above experiments. Therefore, I re-upload a text file test. text, which contains the following content:

360weboy360daysLife Of A Web Boy

Okay. Now I upload this text file, which will be output in upload. php:

Array(    [attachment] => Array        (            [name] => test.txt            [type] => text/plain            [tmp_name] => D:\xampp\tmp\php51C0.tmp            [error] => 0            [size] => 40        ))

Let's take a look at the http post request sent by the relevant browser (I omitted some optional headers ):

POST /upload.php HTTP/1.1Host: www.360weboy.meReferer: http://www.360weboy.me/multipart/form-data; boundary=---------------------------24464570528145Content-Length: 234-----------------------------24464570528145 Content-Disposition: form-data; name="attachment"; filename="test.txt" Content-Type: text/plain 360weboy 360days Life Of A Web Boy -----------------------------24464570528145--

In the preceding request format, we need to pay attention to the following fields: name, filename, and Content-Type. they indicate the field name-attachment in the form of the Upload File Box, the file name-test.txt uploaded from the local hard disk, and the uploaded file format-text/plain (representing the text file ). Then, we can see the specific content of the uploaded file under a blank line.

Enhanced security

To enhance the security of file uploads, we need to check the tmp_name and size in the global array of $ _ FILES. To ensure that the object pointed to by tmp_name is indeed a File Uploaded by the user on the client, rather than a file similar to/etc/passwd, you can use the is_uploaded_file () function in php to perform the following judgment:

 

In some cases, after a user uploads a file, the content of the uploaded file may be displayed to the user. Therefore, the above Code check is particularly important.

Another thing to check is the mime-type of the uploaded file, that is, the type field of the output array in upload. php. In the first example, I uploaded an image, so the value of $ _ FILES ['attachment '] ['type'] Is 'image/jpeg '. If you want to accept only image/png, image/jpeg, image/gif, image/x-png, and image/p-jpeg mime-type images on the server side, you can use the code similar to the following to check (for example, the specific code, such as error reporting, should follow the mechanism in your system ):

$ Allow_mimes = array ('image/png ', 'image/x-png', 'image/gif', 'image/jpeg ', 'image/pjpeg '); $ image = $ _ FILES ['attachment']; if (! In_array ($ image ['type'], $ allow_mimes) {die ('Sorry, the file format you uploaded is not accurate; we only accept image files. ');} // continue processing the uploaded Image File

As you can see, we have ensured that the mime-type of the file meets the server requirements. However, it is not enough to prevent malicious users from uploading other harmful files, because the mime-type malicious users can disguise it. For example, you have made a jpg image, written malicious php code in the metadata of the image, and saved the file with the suffix php. When this malicious file is uploaded, it will pass the server's mime-type check. It is regarded as an image and the dangerous php code in it will be executed. The metadata of a specific image is similar to the following:

File name: image.jpg File size: 182007 bytesFile date: 7: 45: 10 Resolution: 1197x478 Comment:
 

We can see that php code is added to the Comment field of the image metadata. Therefore, it is clear that a necessary check must be performed on the file extension to prevent similar dangerous situations. The following code enhances the Mime-type check code:

$ Allow_mimes = array ('image/png '=> '.png', 'image/x-png '=> '.png', 'image/gif' => '.gif ', 'image/jpeg '=> '.jpg', 'image/pjpeg '=> '.jpg'); $ image = $ _ FILES ['attachment ']; if (! Array_key_exists ($ image ['type'], $ allow_mimes) {die ('Sorry, the format of the file you uploaded is incorrect; we only accept image files. ');} // get the name of the file with the suffix omitted: $ filename = substr ($ image ['name'], 0, strrpos ($ image ['name'],'. '); // Add the suffix $ filename. = $ allow_mimes [$ image ['type']; // continue to process uploaded files

Through the above Code, we ensure that even if the uploaded image meta file contains php code, the image file will be renamed with a suffix named image format, so the php code will not be executed. The above Code does not have any negative impact on normal uploaded images.

After performing the preceding steps to improve security, if you only want to save the uploaded file to a specified directory, you can use the default function move_uploaded_file of php to implement it:

  

You may also need to limit the size of the uploaded file, so you can use the filesize function to obtain the size of the uploaded file, determine the size, and perform further processing. This is not the case here, let's do it on your own.

Now, we will write about file upload. I hope this article will help you. I have time to add blog posts on this topic!

Original article address: Go to PHP to upload files. Thank you for sharing it with me.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.