php图像类型检测

Question

无法检测 mime 类型。如果我删除($mime=="image/jpeg" || $mime=="image/pjpeg")，它可以成功上传图片。

$mime = $_FILES['Filedata']['type'];
if((!empty($_FILES['Filedata']['tmp_name'])) && ($_FILES['Filedata']['error'] == 0)) {
  $filename = basename($_FILES['Filedata']['name']);
  $ext = pathinfo($filename, PATHINFO_EXTENSION);
  if (($ext=="jpg" || $ext=="jpeg") && ($mime=="image/jpeg" || $mime=="image/pjpeg") && ($_FILES["Filedata"]["size"] < 350000)) {
        $newname = $filename;
        if (!file_exists($newname)) {
            if (move_uploaded_file($_FILES['Filedata']['tmp_name'], "./photo/" . $newname)) {
                echo "It's done! The file has been saved as: ".$newname;
            } else {
                echo "Error: A problem occurred during file upload!";
            }
        } else {echo "Error: File ".$_FILES["uploaded_file"]["name"]." already exists";}
  } else {
     echo "Error: Only .jpg images under 350Kb are accepted for upload";
  }
} else {
    echo "Error: No file uploaded";
}

Answer 1

上传文件的name 和type 信息应被视为纯粹的信息，并且切勿用于任何严重的事情，因为它是用户提供的信息，很容易被欺骗。您应该只查看tmp_name、error 和size 字段来确定是否要接受文件。要查找文件的实际 MIME 类型，请使用 PHP 的内置函数：

if ($file['error'] == UPLOAD_ERR_NO_FILE) {
    die('No file uploaded');
}

if ($file['error'] != UPLOAD_ERR_OK) {
    die('Error during upload');
}

if (!$file['size'] || !is_uploaded_file($file['tmp_name'])) {
    die('File is weird');
}

$extensions = array(IMAGETYPE_GIF => '.gif', IMAGETYPE_JPEG => '.jpg', IMAGETYPE_PNG => '.png');
$exifType = exif_imagetype($file['tmp_name']);
if (!isset($extensions[$exifType])) {
    die('Unsupported file type');
}

$ext = $extensions[$exifType];
$targetDir = '/somewhere/else/';

do {
    $target = $targetDir . uniqid() . $ext;
} while (file_exists($target));

if (!move_uploaded_file($file['tmp_name'], $target)) {
    die('Something went wrong');
}

echo 'Yay, uploaded!';

虽然您不一定要使用那么多 die() 语句，但这只是为了演示目的。