PHP中的文件上传问题

Question

嗨,我正在尝试使用PHP脚本上传图像.什么是非常奇怪的是我只在Internet Explorer中得到以下错误,其他地方的脚本工作正常:

Warning: move_uploaded_file(pictures/) [function.move-uploaded-file]: failed to open stream: Is a directory in /home/tntauto1/public_html/admin_add1.php on line 59

Warning: move_uploaded_file() [function.move-uploaded-file]: Unable to move '/tmp/phpcJnHZE' to 'pictures/' in /home/tntauto1/public_html/admin_add1.php on line 59

Warning: copy() [function.copy]: The first argument to copy() function cannot be a directory in /home/tntauto1/public_html/admin_add1.php on line 60

这是脚本:

if(is_uploaded_file($_FILES['image']['tmp_name'])){
    if($_FILES['image']['type'] == 'image/jpeg'){
        $original = 'original_'.$v_id.'.jpg';
        $large = 'large_'.$v_id.'.jpg';
        $small = 'small_'.$v_id.'.jpg';

    }elseif($_FILES['image']['type'] == 'image/gif'){
        $original = 'original_'.$v_id.'.gif';
        $large = 'large_'.$v_id.'.gif';
        $small = 'small_'.$v_id.'.gif';
    }else{
        $error = 'Error: The image could not be uploaded. It must be in .jpg, .jpeg or .gif format.';
    }
    if(move_uploaded_file($_FILES['image']['tmp_name'],'pictures/'.$large)){}
        copy('pictures/'.$large,'pictures/'.$small);

    $imgsize = getimagesize('pictures/'.$large); //>>>>>>>>>>>>>>>>>>>>>>>>>>>>---- Resize to 480 X 360
    $width = $imgsize[0];
    $height = $imgsize[1];
    if(($width > 480) || ($height > 360)){//resize the image
        $ratio = $width / $height;
        if(100 / $ratio >= 80){//calculates if height of uploaded image is too large
            $new_width = floor(360 * $ratio);
            $new_height = 360;
        }elseif(150 * $ratio > 100){// calculate if width of uploaded image is too large
            $new_width = 480;
            $new_height = floor(480 / $ratio);
        }
        if($_FILES['image']['type'] == 'image/jpeg'){
            $img = imagecreatefromjpeg('pictures/'.$large);
            $img_copy = imagecreatetruecolor($new_width,$new_height);
            imagecopyresampled($img_copy,$img,0,0,0,0,$new_width,$new_height,$width,$height);
            imagejpeg($img_copy,'pictures/'.$large,100);    
        }
        if($_FILES['image']['type'] == 'image/gif'){
            $img = imagecreatefromjpeg('pictures/'.$large);
            $img_copy = imagecreatetruecolor($new_width,$new_height);
            imagecopyresampled($img_copy,$img,0,0,0,0,$new_width,$new_height,$width,$height);
            imagejpeg($img_copy,'pictures/'.$large,100);    
        }
    }   

Answer 1

if($_FILES['image']['type'] == 'image/jpeg'){

永远不要依赖浏览器提交的MIME类型.

在这种情况下你的问题就像大卫提到的那样:IE通常(错误地)提供image/pjpegJPEG,因此你检测到一个未知的文件类型并将$ error设置为Error: The image could not be uploaded. It must be in .jpg, .jpeg or .gif format....但是尽管如此,你仍然试图移动文件,尽管没有设置$ small或$ large.

但更重要的是,浏览器提交的类型可能完全错误.您不能相信上传的文件名或媒体类型是合适的,所以不要打扰它们.相反,请在$imgsize[2]调用getimagesize之后查看PHP认为图像的类型.

并且......如果您接受来自普通用户的图像上传,则存在安全问题.完全可以创建包含HTML标记的有效GIF(或其他文件类型).然后,当bloody-stupid-IE自带访问GIF作为页面时,它会检测HTML标签,决定你告诉它必须是错误的Content-Type,并将其解释为HTML页面,包括任何那里的JavaScript,然后在您网站的安全上下文中执行.

如果您必须允许来自不受信任来源的文件上传并且您没有自己处理图像(这通常会产生删除不需要的HTML的副作用),您通常必须从不同的主机名提供图像以避免它们编写脚本进入你的网站.