In-depth analysis and understanding of PHP file upload principles

I will give you an in-depth introduction to the relevant principles of PHP file upload. Friends in need can refer to it.

Many PHP tutorials will introduce file upload. As we all know, PHP file upload is simple and efficient. Today I will analyze its principle for you.

//Use multipart/form-data encoding format $_FILES system function; $_FILES['myFile']['name']File name $_FILES['myFile']['type'] file type, restricted by the server image/** image/x-png application/x-zip-compressed $_FILES['myFile']['size']Upload file size $_FILES['myFile']['tmp_name'] saves the temporary file name after uploading the service $_FILES['myFile']['error'] error code; 0 Success 1 Exceeded php.ini size 2 Exceeded the value specified by the MAX_FILE_SIZE option 3Only partial upload 5Uploaded file size is 0

move_uploaded_file (temporary file, target location and file name); Function to move files to the target location after uploading is_uploaded_file(MIME);

Example of determining upload MIME type: 1. html part

<form enctyoe="multipart/form-data" method="post" name="upload">
<input name="upfile" name="name">
</form>

2. File upload code

<?php
if(is_uploaded_file($_FILES['myFile']['tmp_name'])){
$upfile = $_FILES['upload']；
$name = $upfile['name'];
$type = $upfile['type'];
$size = $upfile['size'];
$tmp_name = $upfile['tmp_name'];
$error = $upfile['error'];
switch($type){
case 'image/pjpeg' : $ok=1;
break
}
if($ok){
move_uploaded_file($tmp_name,'up/'.$name);
}else{
echo "不允许的文件类型";
}
}
?>

--------------------------------------------- The principle and implementation of PHP file upload 1. Form 1. The form for uploading files uses the post method (needless to say the difference from get); also add enctype='multipart/form-data'. 2. Generally, a hidden field should be added: , located in front of the file field. The value of value is the client byte limit for uploading files. It is said that it can reduce the waiting time of the client when the file exceeds the standard, but I don't think there is any difference. 3. For security reasons, value assignment is not allowed in the file field. Just enter a string in the file field and press submit, but nothing will happen. Submit must agree to "service" only when the second character is a colon (for example, a space followed by a colon can upload a "file" with a length of 0 bytes) - but this is a client-side measure, and it is easy to circumvent like MAX_FILE_SIZE. past.

Second, file upload error code Copy a paragraph first: The predefined variable $_FILES array has 5 contents: $_FILES['userfile']['name'] - the original name of the client machine file $_FILES['userfile']['type'] - MIME type of file $_FILES['userfile']['size']——The size of the uploaded file, in bytes $_FILES['userfile']['tmp_name']——The temporary file name stored on the server after the file is uploaded $_FILES['userfile']['error']——Error code related to the file upload

Among them, $_FILES['userfile']['error'] can have the following values ​​and meanings: 0 - No errors occurred and the file was uploaded successfully. 1 - The uploaded file exceeds the limit of the upload_max_filesize option in php.ini. 2 - The size of the uploaded file exceeds the value specified by the MAX_FILE_SIZE option in the HTML form. 3 - Only part of the file was uploaded. 4 - No files were uploaded. Needless to say 1~3. "No file was uploaded" (4) means that the file field of the form has no content and is an empty string. "File uploaded successfully" (0) does not necessarily mean that a file has actually been uploaded. For example, if you type "c:" in the file field, you can see "Upload successful" - the error code is 0, ['name'] is "c:", ['type'] is "application/octet-stream" , ['size'] is 0, ['tmp_name'] is "xxx.tmp" (xxx is the name given by the server) 3. File size limits and inspections Factors that limit the size of uploaded files include 1. The value of the client’s hidden field MAX_FILE_SIZE (can be bypassed). 2. Server-side upload_max_filesize, post_max_size and memory_limit. These items cannot be set using scripts. 3. Customize file size limit logic. Even if you can decide the server's limits yourself, there may be situations that require individual consideration. So this limiting method is often necessary. A situation I encountered may not be universal, let me explain. If the file is much larger than the server-side limit (upload_max_filesize), but has not reached or is close to post_max_size or memory_limit, $_FILES will "collapse" - the result is that $_FILES['userfile'] becomes "Undefined index", of course There is no test that can be done.

Server-side restriction checking takes precedence over client-side restriction checking. That is to say, if the two limits are the same and the file is too large, $_FILES['userfile']['error'] will issue error code 1. Only when the client limit is smaller than the server limit to a certain "degree" and the file size exceeds both, error code 2 will appear (could this be the reason why I feel that MAX_FILE_SIZE does not play the expected role?). The above "level" was tested on my machine between 3 and 4K - the server limit set on my machine is 2M... Because it doesn't make sense, there is no precise rule.

When error code 1 or 2 appears: $_FILES['userfile']['name'] is the original name of the client machine file $_FILES['userfile']['type'] is an empty string $_FILES['userfile']['size'] is 0 $_FILES['userfile']['tmp_name'] is an empty string

四，文件路径检验 file域无输入，错误代码为4（无文件上传） $_FILES['userfile']['name']为空字符串 $_FILES['userfile']['type']为空字符串 $_FILES['userfile']['size']为0 $_FILES['userfile']['tmp_name']为空字符串 file域是非文件路径的字符串（不考虑客户端的假“限制”了），错误代码是0（“上传成功”） $_FILES['userfile']['name']为原字符串 $_FILES['userfile']['type']为application/octet-stream $_FILES['userfile']['size']为0 $_FILES['userfile']['tmp_name']为一个暂时文件名

五，is_uploaded_file()的返回值 手册上面不很详细地说，用法是： bool is_uploaded_file( string filename) 实际上 is_uploaded_file($_FILES['userfile']['name']); 总是返回FALSE。后来看见别人是用： is_uploaded_file($_FILES['userfile']['tmp_name']);

比较一下： file域无输入——————返回FALSE——error=>4,name=>'', tmp_name=>'', type=>'', size=>0 file域为非路径字符串——返回 TRUE——error=>0,name=>'xxx',tmp_name=>'yyy',type=>'zzz',size=>0 文件上传成功——————返回 TRUE——error=>0,name=>'xxx',tmp_name=>'yyy',type=>'zzz',size=>sss 文件太大————————返回FALSE——error=>1,name=>'xxx',tmp_name=>'', type=>'', size=>0 文件太大————————返回FALSE——error=>2,name=>'xxx',tmp_name=>'', type=>'', size=>0 文件部分上传——————没机会试验 —error=>3

有点怀疑这个函数是怎么工作的，还是觉得用$_FILES['userfile']['size']检验好些。

六，检验顺序 if($_FILES['userfile']['error']!=4){//有文件上传 if($_FILES['userfile']['error']!=3){//全部上传了 if($_FILES['userfile']['error']!=1){//不超过服务器端文件大小限制 if($_FILES['userfile']['error']!=2){//不超过客户端文件大小限制 if($_FILES['userfile']['size']>0){//确实是文件 if(......){//自定义文件大小检验逻辑 if(......){//自定义文件类型检验逻辑 if(move_uploaded_file($_FILES['userfile']['tmp_name'],...))//移动文件 //.......... } else give_a_message(...); } else give_a_message(...); } else give_a_message(...); } else give_a_message(...); } else give_a_message(...); } else give_a_message(...); } else give_a_message(...); } 附代码: ------------------------------ 1）、test.php:

<html>
<body>
 <form enctype="multipart/form-data" action="upload.php" method="POST">
     <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
     Send this file: <input name="userfile" type="file" accept="image/x-png,image/gif,image/jpeg"/>
     <input type="submit" value="Send File" />
 </form>
</body>
</html>

2）、upload.php

<html>
<body>
 <?php
  $uploaddir = 'images/';
  $uploadfile = $uploaddir. $_FILES['userfile']['name'];
  print "<pre class="brush:php;toolbar:false">";
  if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
     print "File is valid, and was successfully uploaded.  Here's some more debugging info:\n";
     print_r($_FILES);
  } else {
     print "Possible file upload attack!  Here's some debugging info:\n";
     print_r($_FILES);
  }
  print "

"; ?>