请注意,您可能不希望依赖文件扩展名来确定文件类型。例如,某人上传具有.png扩展名的可执行文件相当容易。恶意客户端也可以轻易伪造mime类型作为图像传递。依赖该信息是一种安全风险。
PHP Documentation:
The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.
尝试使用gd(getimagesize())加载图像以确保它们实际上是有效图像(而不仅仅是假装有图像文件标题的随机文件...... finfo_file依赖于这些标题)。
if($_FILES["imagefile"]["size"] >= 2120000) {
echo "F2";
die();
} else {
$imageData = @getimagesize($_FILES["imagefile"]["tmp_name"]);
if($imageData === FALSE || !($imageData[2] == IMAGETYPE_GIF || $imageData[2] == IMAGETYPE_JPEG || $imageData[2] == IMAGETYPE_PNG)) {
echo "F2";
die();
}
}
如果您确实必须使用扩展来验证文件是否为图像,请使用strtolower()将扩展名设置为小写。
$filecheck = basename($_FILES['imagefile']['name']);
$ext = strtolower(substr($filecheck, strrpos($filecheck, '.') + 1));
if (!(($ext == "jpg" || $ext == "gif" || $ext == "png") && ($_FILES["imagefile"]["type"] == "image/jpeg" || $_FILES["imagefile"]["type"] == "image/gif" || $_FILES["imagefile"]["type"] == "image/png") &&
($_FILES["imagefile"]["size"] < 2120000))){
echo "F2";
die();
}