使用 PHP 验证头像图像
Validating avatar images with PHP
我在 MySQL 数据库中有一列称为 mediumblob 类型的照片,它可以是 NULL。
这应该是显示在 Web 应用程序右上角的一张员工小照片。
新员工通过表单插入 MySQL 数据库。
<form action="insert" method="post" enctype="multipart/form-data">
...
<label for="photo">Photo</label>
<input type="file" name="photo">
...
</form>
照片将按如下方式验证:
可以卸载(表格中不会提供照片)
否则如果提供一些照片
应该是图片类型
图像大小应适合此用途
图片的尺寸应该适合这个目的
这是到目前为止我的验证代码的概要。
我已经创建了一些验证条件(1 和 2)。那些可以吗?
并且不知道如何创造条件3和4。
$file = $_FILES['photo']['tmp_name']
if (!isset($file))
{
$image = ""; // 1), empty string will be inserted into the database
}
else {
$image = addslashes(file_get_contents($_FILES['photo']['tmp_name']));
$image_size = getimagesize($_FILES['photo']['tmp_name']);
if ($image_size == FALSE) {
// 2) not an image file
// display the form again with error message
}
// checking 3)
// checking 4)
}
第 1 点使用 Best way to determine if a file is empty (php)?
第二点根本不完整(不安全):
例如。添加扩展检查:PHP check file extension
关于第 2 点的更多安全提示:http://nullcandy.com/php-image-upload-security-how-not-to-do-it/
第3点和第4点可以用getimagesize()和filesize()
覆盖
Get image dimensions
http://php.net/manual/en/function.filesize.php
For condition 3 u can use:
$filesize = filesize($filename);
u get size of the file in bytes.
For condition 4 u can use:
list($width, $height) = getimagesize($_FILES['photo']['tmp_name']);
where $width and $height is the dimension of image.
您的代码没问题,您只需添加以下几行即可满足您的所有要求:
$image="";
if (isset($_FILES["photo"]) && $_FILES["photo"]["error"] < 1){
$file = $_FILES['photo']['tmp_name'];
$imageInfo = getimagesize($file);
if(is_array($imageInfo)){
if($imageInfo[0]>30 && $imageInfo[0]<257 && $imageInfo[1]>30 && $imageInfo[1]<257){
//$imageInfo[0] is width and $imageInfo[1] is height, you can set limit according to your need. I set it to MIN: 31*31 AND MAX 256*256
// if you want square image then add " && $imageInfo[0]=$imageInfo[1]" in above-if-clause
$imageSize=filesize($file); //returns bytes in integer
if($imageSize> 250 && $imageSize<20481) // image size should be less then 20kb
$image = addslashes(file_get_contents($file));
else echo "Image file should not grater then 20 KB.";
}
else echo "Image dimension(width*height) should be 31*31 to 256*256.";
}
else echo "Wrong file. Upload a Image file.";
}
else echo "No file uploaded or Error in file uploaded.";
if(trim($image)==""){
//display form again
}
以下是打包到代码中的一些有用提示:
$upload_error = isset( $_FILES['photo']['error'] ) ? $_FILES['photo']['error'] : UPLOAD_ERR_NO_FILE;
if ($upload_error == UPLOAD_ERR_NO_FILE) {
// 1) No file uploaded
$image = null; // I changed the empty string into a null, to avoid the mediumblob allocating space for the empty string
} elseif ($upload_error) {
// 5) You forgot to check if the file upload failed
switch ($upload_error) {
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
$message = "file_too_big";
break;
case UPLOAD_ERR_PARTIAL:
$message = "upload_not_complete";
break;
case UPLOAD_ERR_EXTENSION:
$message = "bad_file_extension";
break;
case UPLOAD_ERR_NO_TMP_DIR:
case UPLOAD_ERR_CANT_WRITE:
$message = "internal_upload_error";
break;
default:
$message = "unknown_upload_error";
break;
}
header("Location: form.php?error=$message"); // Load form again and show error
exit;
} else {
$file = $_FILES['photo']['tmp_name'];
$file_size = $_FILES['photo']['size'];
if ($file_size > 5242880) { // 5 Megabyte for example, but always less than 16 Megabytes, because you use mediumblob
// 3) The image size is not suitable for this purpose
header("Location: form.php?error=file_too_big"); // Load form again and show error
exit;
}
$image_size = getimagesize($file);
if ($image_size) {
$width = $image_size[0];
$height = $image_size[1];
if ($width < 100 || $width > 1000 || $height < 100 || $height > 1000) {
// 4) Image dimensions are not suitable. Width/height are not between 100 and 1000 pixels
header("Location: form.php?error=dimensions_not_ok"); // Load form again and show error
exit;
}
} else {
// 2) Not an image type
header("Location: form.php?error=not_an_image"); // Load form again and show error
exit;
}
$image = file_get_contents($file);
}
// now escape $image and save it to the database
// But I suggest you not use addslashes() to escape binary data
// Use parameterized queries / mysqli_real_escape_string() / mysql_real_escape_string() instead
$userfile_name = $_FILES['image']['name'];
$userfile_tmp = $_FILES['image']['tmp_name'];
$userfile_size = $_FILES['image']['size'];
$filename = basename($_FILES['image']['name']);
$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["image"]["name"]));
if(($userfile_size / 1024) < 4096){
if (isset($_FILES['image']['name']) && !empty($_FILES["image"]) && ($_FILES['image'] ['error'] == 0) && ($userfile_size / 1024 < 4096 ) && (($_FILES["image"]["type"] == "image/gif")
|| ($_FILES["image"]["type"] == "image/jpeg")
|| ($_FILES["image"]["type"] == "image/jpg")
|| ($_FILES["image"]["type"] == "image/pjpeg")
|| ($_FILES["image"]["type"] == "image/x-png")
|| ($_FILES["image"]["type"] == "image/png")) && in_array($extension, $allowedExts)) {
//Everything is ok, so we can upload the image.
}else{
echo "Error in file Upload";
}
}else{
echo 'Oops! Your file\'s size is to large.';
}
对于第 4 点,您需要在实际上传发生之前在客户端执行一些操作。
使用(服务器端)php 只有在文件上传后才能检查尺寸
您可以使用以下 PHP 库:
https://github.com/codeguy/Upload
我在 MySQL 数据库中有一列称为 mediumblob 类型的照片,它可以是 NULL。
这应该是显示在 Web 应用程序右上角的一张员工小照片。
新员工通过表单插入 MySQL 数据库。
<form action="insert" method="post" enctype="multipart/form-data">
...
<label for="photo">Photo</label>
<input type="file" name="photo">
...
</form>
照片将按如下方式验证:
可以卸载(表格中不会提供照片)
否则如果提供一些照片
应该是图片类型
图像大小应适合此用途
图片的尺寸应该适合这个目的
这是到目前为止我的验证代码的概要。 我已经创建了一些验证条件(1 和 2)。那些可以吗? 并且不知道如何创造条件3和4。
$file = $_FILES['photo']['tmp_name']
if (!isset($file))
{
$image = ""; // 1), empty string will be inserted into the database
}
else {
$image = addslashes(file_get_contents($_FILES['photo']['tmp_name']));
$image_size = getimagesize($_FILES['photo']['tmp_name']);
if ($image_size == FALSE) {
// 2) not an image file
// display the form again with error message
}
// checking 3)
// checking 4)
}
第 1 点使用 Best way to determine if a file is empty (php)?
第二点根本不完整(不安全):
例如。添加扩展检查:PHP check file extension
关于第 2 点的更多安全提示:http://nullcandy.com/php-image-upload-security-how-not-to-do-it/
第3点和第4点可以用getimagesize()和filesize()
覆盖
Get image dimensions
http://php.net/manual/en/function.filesize.php
For condition 3 u can use:
$filesize = filesize($filename); u get size of the file in bytes. For condition 4 u can use: list($width, $height) = getimagesize($_FILES['photo']['tmp_name']); where $width and $height is the dimension of image.
您的代码没问题,您只需添加以下几行即可满足您的所有要求:
$image="";
if (isset($_FILES["photo"]) && $_FILES["photo"]["error"] < 1){
$file = $_FILES['photo']['tmp_name'];
$imageInfo = getimagesize($file);
if(is_array($imageInfo)){
if($imageInfo[0]>30 && $imageInfo[0]<257 && $imageInfo[1]>30 && $imageInfo[1]<257){
//$imageInfo[0] is width and $imageInfo[1] is height, you can set limit according to your need. I set it to MIN: 31*31 AND MAX 256*256
// if you want square image then add " && $imageInfo[0]=$imageInfo[1]" in above-if-clause
$imageSize=filesize($file); //returns bytes in integer
if($imageSize> 250 && $imageSize<20481) // image size should be less then 20kb
$image = addslashes(file_get_contents($file));
else echo "Image file should not grater then 20 KB.";
}
else echo "Image dimension(width*height) should be 31*31 to 256*256.";
}
else echo "Wrong file. Upload a Image file.";
}
else echo "No file uploaded or Error in file uploaded.";
if(trim($image)==""){
//display form again
}
以下是打包到代码中的一些有用提示:
$upload_error = isset( $_FILES['photo']['error'] ) ? $_FILES['photo']['error'] : UPLOAD_ERR_NO_FILE;
if ($upload_error == UPLOAD_ERR_NO_FILE) {
// 1) No file uploaded
$image = null; // I changed the empty string into a null, to avoid the mediumblob allocating space for the empty string
} elseif ($upload_error) {
// 5) You forgot to check if the file upload failed
switch ($upload_error) {
case UPLOAD_ERR_INI_SIZE:
case UPLOAD_ERR_FORM_SIZE:
$message = "file_too_big";
break;
case UPLOAD_ERR_PARTIAL:
$message = "upload_not_complete";
break;
case UPLOAD_ERR_EXTENSION:
$message = "bad_file_extension";
break;
case UPLOAD_ERR_NO_TMP_DIR:
case UPLOAD_ERR_CANT_WRITE:
$message = "internal_upload_error";
break;
default:
$message = "unknown_upload_error";
break;
}
header("Location: form.php?error=$message"); // Load form again and show error
exit;
} else {
$file = $_FILES['photo']['tmp_name'];
$file_size = $_FILES['photo']['size'];
if ($file_size > 5242880) { // 5 Megabyte for example, but always less than 16 Megabytes, because you use mediumblob
// 3) The image size is not suitable for this purpose
header("Location: form.php?error=file_too_big"); // Load form again and show error
exit;
}
$image_size = getimagesize($file);
if ($image_size) {
$width = $image_size[0];
$height = $image_size[1];
if ($width < 100 || $width > 1000 || $height < 100 || $height > 1000) {
// 4) Image dimensions are not suitable. Width/height are not between 100 and 1000 pixels
header("Location: form.php?error=dimensions_not_ok"); // Load form again and show error
exit;
}
} else {
// 2) Not an image type
header("Location: form.php?error=not_an_image"); // Load form again and show error
exit;
}
$image = file_get_contents($file);
}
// now escape $image and save it to the database
// But I suggest you not use addslashes() to escape binary data
// Use parameterized queries / mysqli_real_escape_string() / mysql_real_escape_string() instead
$userfile_name = $_FILES['image']['name'];
$userfile_tmp = $_FILES['image']['tmp_name'];
$userfile_size = $_FILES['image']['size'];
$filename = basename($_FILES['image']['name']);
$allowedExts = array("gif", "jpeg", "jpg", "png");
$extension = end(explode(".", $_FILES["image"]["name"]));
if(($userfile_size / 1024) < 4096){
if (isset($_FILES['image']['name']) && !empty($_FILES["image"]) && ($_FILES['image'] ['error'] == 0) && ($userfile_size / 1024 < 4096 ) && (($_FILES["image"]["type"] == "image/gif")
|| ($_FILES["image"]["type"] == "image/jpeg")
|| ($_FILES["image"]["type"] == "image/jpg")
|| ($_FILES["image"]["type"] == "image/pjpeg")
|| ($_FILES["image"]["type"] == "image/x-png")
|| ($_FILES["image"]["type"] == "image/png")) && in_array($extension, $allowedExts)) {
//Everything is ok, so we can upload the image.
}else{
echo "Error in file Upload";
}
}else{
echo 'Oops! Your file\'s size is to large.';
}
对于第 4 点,您需要在实际上传发生之前在客户端执行一些操作。 使用(服务器端)php 只有在文件上传后才能检查尺寸
您可以使用以下 PHP 库: https://github.com/codeguy/Upload