php xml 个文件通过 mime 的文件上传限制
php file upload restriction for xml files via mime
我在 php 批准我的文件上传时遇到问题。我希望用户只上传 .xml 文件。但是没用。
这是我的 html 表格:
<form action="upload2.php" method="post" enctype="multipart/form-data">
Wähle deine Sprachdatei aus:
<input type="file" class="form-control-file" name="upfile">
<br>
<input type="submit" class="btn btn-primary" value="Sprachdatei hochladen" name="submit">
</form>
这里是我的 php 通过 MIME 类型控制文件:
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['upfile']['error']) ||
is_array($_FILES['upfile']['error'])
) {
throw new RuntimeException('Invalid parameters.');
}
// Check $_FILES['upfile']['error'] value.
switch ($_FILES['upfile']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Exceeded filesize limit.');
default:
throw new RuntimeException('Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['upfile']['size'] > 1000000) {
throw new RuntimeException('Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['upfile']['tmp_name']),
array(
'xml' => 'text/xml',
'txt' => 'text/plain',
),
true
)) {
throw new RuntimeException('Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
if (!move_uploaded_file(
$_FILES['upfile']['tmp_name'],
sprintf('./uploads/%s.%s',
sha1_file($_FILES['upfile']['tmp_name']),
$ext
)
)) {
throw new RuntimeException('Failed to move uploaded file.');
}
echo 'File is uploaded successfully.';
} catch (RuntimeException $e) {
echo $e->getMessage();
}
?>
使用简单的 jpg 和 png 可以,但不能使用 xml。
我检查了 MIME 类型,它仍然无法正常工作
我在 Windows 到 运行 php
上使用 XAMPP
感谢您的帮助。
对于 xml 个文件,似乎 $finfo->file() returns application/xml 而不是 text/xml。
将具有有效 MIME 类型的数组更改为:
array(
'xml' => 'application/xml',
'txt' => 'text/plain',
),
尝试使用以下代码。文件的扩展名在您的代码上得到了正确的处理。
如果 (!move_uploaded_file(
$_FILES['upfile']['tmp_name'], 'uploads/'.basename($_FILES["upfile"]["name"]
)
))
我在 php 批准我的文件上传时遇到问题。我希望用户只上传 .xml 文件。但是没用。
这是我的 html 表格:
<form action="upload2.php" method="post" enctype="multipart/form-data">
Wähle deine Sprachdatei aus:
<input type="file" class="form-control-file" name="upfile">
<br>
<input type="submit" class="btn btn-primary" value="Sprachdatei hochladen" name="submit">
</form>
这里是我的 php 通过 MIME 类型控制文件:
<?php
header('Content-Type: text/plain; charset=utf-8');
try {
// Undefined | Multiple Files | $_FILES Corruption Attack
// If this request falls under any of them, treat it invalid.
if (
!isset($_FILES['upfile']['error']) ||
is_array($_FILES['upfile']['error'])
) {
throw new RuntimeException('Invalid parameters.');
}
// Check $_FILES['upfile']['error'] value.
switch ($_FILES['upfile']['error']) {
case UPLOAD_ERR_OK:
break;
case UPLOAD_ERR_NO_FILE:
throw new RuntimeException('No file sent.');
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
throw new RuntimeException('Exceeded filesize limit.');
default:
throw new RuntimeException('Unknown errors.');
}
// You should also check filesize here.
if ($_FILES['upfile']['size'] > 1000000) {
throw new RuntimeException('Exceeded filesize limit.');
}
// DO NOT TRUST $_FILES['upfile']['mime'] VALUE !!
// Check MIME Type by yourself.
$finfo = new finfo(FILEINFO_MIME_TYPE);
if (false === $ext = array_search(
$finfo->file($_FILES['upfile']['tmp_name']),
array(
'xml' => 'text/xml',
'txt' => 'text/plain',
),
true
)) {
throw new RuntimeException('Invalid file format.');
}
// You should name it uniquely.
// DO NOT USE $_FILES['upfile']['name'] WITHOUT ANY VALIDATION !!
// On this example, obtain safe unique name from its binary data.
if (!move_uploaded_file(
$_FILES['upfile']['tmp_name'],
sprintf('./uploads/%s.%s',
sha1_file($_FILES['upfile']['tmp_name']),
$ext
)
)) {
throw new RuntimeException('Failed to move uploaded file.');
}
echo 'File is uploaded successfully.';
} catch (RuntimeException $e) {
echo $e->getMessage();
}
?>
使用简单的 jpg 和 png 可以,但不能使用 xml。 我检查了 MIME 类型,它仍然无法正常工作
我在 Windows 到 运行 php
上使用 XAMPP感谢您的帮助。
对于 xml 个文件,似乎 $finfo->file() returns application/xml 而不是 text/xml。
将具有有效 MIME 类型的数组更改为:
array(
'xml' => 'application/xml',
'txt' => 'text/plain',
),
尝试使用以下代码。文件的扩展名在您的代码上得到了正确的处理。
如果 (!move_uploaded_file( $_FILES['upfile']['tmp_name'], 'uploads/'.basename($_FILES["upfile"]["name"] ) ))