$type = $_FILES[$filename]['type'];
if ($type != "image/jpeg" && $type != "image/jpg" && $type != "image/gif" && $type != "image/png") {
$r['error'] = "error: '只允许上传jpg、jpeg、gif、png类型的图片文件!'";
return $r;
}
+ $tmp = pathinfo($_FILES[$filename]['name']);
+ if(!in_array($tmp["extension"],["jpg","jpeg","gif","png"])){
+ $r['error'] = "error: '只允许上传jpg、jpeg、gif、png类型的图片文件!'";
+ return $r;
+ }
也可更细致判断,是否为真实的图片,可以用exif_imagetype辅助。
不过上面的代码在增加下面代码之前,如果用户伪造请求头里面的type,就可以非常轻松的上传html文件。$type = $_FILES[$fileElementName]['type'];
$file = $_FILES[$fileElementName]['tmp_name'];
$suffix = explode('/', $type)[1];
$name = sha1_file($file) . '.' . $suffix;