Basically this is for a simple site where admin only will upload pictures, how do i safeguard image upload here ?
$uploaddir = "./images/";
开发者_JAVA百科 $uploadfile = $uploaddir . $_FILES["imgfile"]["name"];
move_uploaded_file($_FILES["imgfile"]["tmp_name"], $uploadfile) ;
$sql = "INSERT INTO entries(cat_id, dateposted, subject,image,youtube,page, body)
VALUES(
'" .is_int($_POST['cat']) . "'
, mysql_real_escape_string(NOW())
,'" . mysql_real_escape_string($_POST['subject']) . "'
,'" . mysql_real_escape_string($_FILES['imgfile']['name'])."'
,'" . mysql_real_escape_string($_POST['youtube']) . "'
,'" . mysql_real_escape_string($_POST['page']) . "'
,'" . mysql_real_escape_string($_POST['body']) . "'
);";
mysql_query($sql) or die(mysql_error());
- Your forgot make chmod at uploaded (moved) file (chmod -x !)
- Your need rename uploaded file, i prefer [a-z\d-_.] + timestamp()
- Your need check if file size is lower than maximum, allowed
- Need check against allowed extension list $est in_array($config_fileupload_allowed)
- this list is longer :) i check also content of files, i.e jpeg against signature, txt against symbols, so on.
This one code allow upload test.php file with something like
<?
`rm -rf /`;
?>
inside ...
PS.
mysql_real_escape_string(NOW())
this is extra, just use now(), why need escape it ...
,Arsen
精彩评论