这是一种安全可靠的方法,发布请求需要检查,只需检查$name
是不足够的,$username
需要删除任何特殊字符,$id
需要检查其设置并且是数字,需要查找文件特定类型扩展名,还允许需要交叉匹配的 mime 类型,加上需要检查的宽度和高度尺寸,需要考虑很多,上传可能非常不安全,更不用说图像可以注入 php到文件注释中,如果处理不正确可能会被执行:
<?php
if($_SERVER['REQUEST_METHOD']=='POST' && isset($username) && is_numeric($id)
&& isset($_FILES['myfile']['error']) && $_FILES['myfile']['error']=='UPLOAD_ERR_OK'){
$name = basename($_FILES['myfile']['name']);
$ext = end(explode('.', $name));
$move_to = "images/avatars/".preg_replace('/[^a-zA-Z0-9.-]/s', '_',$username).'.'.$ext;
$info = getimagesize($_FILES['myfile']['tmp_name']);
//not more then 200px
if($info[0]>200 || $info[1] > 200){
//file too large
}
$allowed = array('image/png','image/jpg','image/gif');
if($info[0]>0 && $info[1] > 0 && in_array($info['mime'],$allowed)){
move_uploaded_file($_FILES['myfile']['tmp_name'],$move_to);
mysql_query("UPDATE users
SET avatar='".mysql_real_escape_string($move_to)."'
WHERE id=".$id." AND owner='".$_SESSION['username']."'");
$avaMessage = 'Avatar Updated - Uploaded Image!.';
}else{
//Not allowed
}
}
?>
<form action="" method="POST" enctype="multipart/form-data">
<!--1 MB = 1048576 bytes-->
<input type="hidden" name="MAX_FILE_SIZE" value="1048576" />
<p>Upload your image:<p /><input type="file" name="myfile"></p><br />
<p><input type="radio" name="type" value="defaultDot">Use Default</p>
<p><input type="submit" name="updateAvatar"></p>
</form>
UPDATE EDIT
Here is an OOP version of the upload process, perhaps you will find it interesting, I added all possible errors too ;p
<?php
Class updateUserAvatar{
public $upload_path;
public $full_path;
public $name;
public $size;
public $ext;
public $output;
public $input;
public $prefix;
private $allowed;
function upload(){
if($_SERVER['REQUEST_METHOD'] == 'POST'){
if(isset($_FILES[$this->input]['error'])){
if($_FILES[$this->input]['error'] == 0){
$this->name = basename($_FILES[$this->input]['name']);
$file_p = explode('.', $this->name);
$this->ext = end($file_p);
$this->full_path = rtrim($this->upload_path,'/').'/'.preg_replace('/[^a-zA-Z0-9.-]/s', '_', $this->prefix).'.'.$this->ext;
$info = getimagesize($_FILES[$this->input]['tmp_name']);
$this->size = filesize($_FILES[$this->input]['tmp_name']);
if($info[0]>$this->allowed['dimensions']['width'] || $info[1] > $this->allowed['dimensions']['height']){
$this->output = 'File dimensions too large!';
}else{
if($info[0] > 0 && $info[1] > 0 && in_array($info['mime'],$this->allowed['types'])){
move_uploaded_file($_FILES[$this->input]['tmp_name'],$this->full_path);
$this->output = 'Upload success!';
}else{
$this->output = 'File not supported!';
}
}
}else{
if($_FILES[$this->input]['error']==1){$this->output = 'The uploaded file exceeds the upload_max_filesize directive!';}
if($_FILES[$this->input]['error']==2){$this->output = 'The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in our HTML form!';}
if($_FILES[$this->input]['error']==3){$this->output = 'The uploaded file was only partially uploaded!';}
if($_FILES[$this->input]['error']==4){$this->output = 'No file was uploaded!';}
if($_FILES[$this->input]['error']==6){$this->output = 'Missing a temporary folder!';}
if($_FILES[$this->input]['error']==7){$this->output = 'Failed to write uploaded file to disk!';}
if($_FILES[$this->input]['error']==8){$this->output = 'A PHP extension stopped the file upload!';}
}
}
}
}
function setPath($var){
$this->upload_path = $var;
}
function setAllowed($var=array()){
$this->allowed = $var;
}
function setFilePrefix($var){
$this->prefix = preg_replace('/[^a-zA-Z0-9.-]/s', '_', $var);
}
function setFormInput($var){
$this->input = $var;
}
}//END CLASS
if($_POST['type'] != "defaultDot"){
//Setup
$upload = new updateUserAvatar();
$upload->setPath('./images/avatars/');
$upload->setFilePrefix($username);
$upload->setAllowed(array('dimensions'=>array('width'=>200,'height'=>200),
'types'=>array('image/png','image/jpg','image/gif')));
$upload->setFormInput('myfile');
$upload->upload();
if($upload->output == 'Upload success!'){
//do query
$updateURL = mysql_query("UPDATE users SET avatar='$upload->full_path' WHERE id=$id");
}
//message
$avaMessage = $upload->output;
}else{
$avaURL = 'images/avatars/default.png';
$updateURL = mysql_query("UPDATE users SET avatar='$avaURL' WHERE id=$id");
$avaMessage = '<p><font size=2 color=aqua face=Tahoma>Avatar Updated - Default.</font></p>';
}
?>