







这里有很大一部分,但还不是全部。 (如果你知道更多的东西可以帮助上传更安全,请分享。)


  • 主要PHP:

     函数uploadFile($ file_field = null,$ check_image = false,$ random_name = false){

    $ path ='uploads /'; //以结尾斜线
    $ max_size = 1000000;
    $ whitelist_ext = array('jpeg','jpg','png','gif');
    $ whitelist_type = array('image / jpeg','image / jpg','image / png','image / gif');

    $ out = array('error'=> null);
    $ b $ if(!$ file_field){
    $ out ['error'] [] =请指定一个有效的表单字段名称;

    $ b $ if(!$ path){
    $ out ['error'] [] =请指定一个有效的上传路径;

    if(count($ out ['error'])> 0){
    return $ out; ($!$($ _FILES [$ file_field]))&&($ _FILES [$ file_field($ file_field)$

    ] ['error'] == 0)){

    $ file_info = pathinfo($ _ FILES [$ file_field] ['name']);
    $ name = $ file_info ['filename'];
    $ ext = $ file_info ['extension'];
    $ b $ //检查文件是否有正确的扩展名
    if(!in_array($ ext,$ whitelist_ext)){
    $ out ['error'] [] =无效的文件延期;

    if(!in_array($ _ FILES [$ file_field] [type],$ whitelist_type)){
    $ out ['error'] [] =文件类型无效;

    if($ _FILES [$ file_field] [size]> $ max_size){
    $ out ['error'] [] =文件太大;

    $ b $ //如果$ check image设置为true
    if($ check_image){
    if(!getimagesize($ _ FILES [$ file_field] [' tmp_name'])){
    $ out ['error'] [] =上传的文件不是有效的图片;

    $ b //创建完整的文件名,包括路径
    if($ random_name){
    $ tmp = str_replace(array('。',''),array('',''),microtime());

    if(!$ tmp || $ tmp ==''){
    $ out ['error'] [] =文件必须有名字;
    $ newname = $ tmp。'。'。$ ext;
    } else {
    $ newname = $ name。'。'。$ ext;

    if(file_exists($ path。$ newname)){
    $ out ['error'] [ ] =具有此名称的文件已经存在;

    if(count($ out ['error'])> 0){
    return $ out;

    if(move_uploaded_file($ _ FILES [$ file_field] ['tmp_name'],$ path。$ newname)){
    // Success
    $ out ['filepath'] = $ path;
    $ out ['filename'] = $ newname;
    返回$ out;
    } else {
    $ out ['error'] [] =Server Error!;

    } else {
    $ out ['error'] [] =没有文件上传;
    返回$ out;

    $ b if(isset($ _ POST ['submit'])){
    $ file = uploadFile('file',true ,真);
    if(is_array($ file ['error'])){
    $ message ='';
    foreach($ file ['error'] as $ msg){
    $ message。='< p>。$ msg。'< / p>';
    } else {
    $ message =文件上传成功$ newname;
    echo $ message;

    $ / code $ / pre
    $ li $ b $ b

     < form action =<?php echo $ _SERVER ['PHP_SELF'];?> method =postenctype =multipart / form-dataname =form1id =form1> 
    < input name =filetype =fileid =imagee/>
    < input name =submittype =submitvalue =Upload/>
    < / form>

  • 通过张贴代码片段,这将帮助我(和其他人)使这个图像上传脚本,使超级安全。
    或者通过共享/创建一个包含所有代码片段的完整脚本。 当你开始一个安全图片上传脚本,有很多事情要考虑。现在我不是靠近这方面的专家,但我曾经被要求过去发展一次。我要走过我在这里经历的整个过程,所以你可以跟随。为此,我将从一个非常基本的html表单和php脚本开始处理这些文件。


     < form name =uploadaction =upload.phpmethod =POSTenctype =multipart / form-data> 
    选择要上传的图片:< input type =filename =image>
    < input type =submitname =uploadvalue =upload>
    < / form>


    $ uploaddir ='uploads /';

    $ uploadfile = $ uploaddir。基名($ _ FILES [图像] [名称]);
    $ b $ if(move_uploaded_file($ _ FILES ['image'] ['tmp_name'],$ uploadfile)){
    echoImage succeededfully uploaded。;
    } else {


    攻击者不必使用您的网站上的表格上传文件到您的服务器。 POST请求可以通过多种方式截获。考虑浏览器插件,代理,Perl脚本。不管我们多努力,我们都无法阻止攻击者尝试上传他不应该的东西。所以我们所有的安全性都必须在服务器端完成。

    第一个问题是文件类型。在上面的脚本中,攻击者可以上传他想要的任何东西,比如php脚本,然后直接执行。因此,为了防止这种情况,我们实施了 Content-type验证

    if($ _ FILES ['image'] ['type']!=image / png){

    $ uploaddir ='uploads /';

    $ uploadfile = $ uploaddir。基名($ _ FILES [图像] [名称]);
    $ b $ if(move_uploaded_file($ _ FILES ['image'] ['tmp_name'],$ uploadfile)){
    echoImage succeededfully uploaded。;
    } else {

    不幸的是这还不够。正如我之前提到的,攻击者完全可以控制请求。没有什么会阻止他/她修改请求标题,只是将内容类型改为image / png。因此,不要只依赖Content-type头,最好还要验证上传文件的内容。这里是PHP GD库方便的地方。使用 getimagesize(),我们将用GD库处理图像。如果它不是一个图像,这将失败,因此,整个上传将失败:

    pre $ <?php
    $ verifyimg = getimagesize($ _ FILES ['image'] ['tmp_name']);
    $ b $ if($ verifyimg ['mime']!='image / png'){

    $ uploaddir ='uploads /';

    $ uploadfile = $ uploaddir。基名($ _ FILES [图像] [名称]);
    $ b $ if(move_uploaded_file($ _ FILES ['image'] ['tmp_name'],$ uploadfile)){
    echoImage succeededfully uploaded。;
    } else {

    尽管如此,大多数图像文件类型允许将文本注释添加到它们。同样,没有什么能够阻止攻击者添加一些php代码作为评论。 GD图书馆将评估这是一个完全有效的图像。 PHP解释器会完全忽略图像,并在注释中运行php代码。这是真的,这取决于PHP配置哪些文件扩展名由php解释器处理,哪些不是,但由于有许多开发人员由于使用VPS而无法控制此配置,所以我们不能假定PHP解释器不会处理图像。这就是为什么添加一个文件扩展名白名单也不够安全。





    $ uploaddir ='uploads /';
    $ name = $ _GET ['name']; //假设文件名在这个例子的URL中
    readfile($ uploaddir。$ name);



    pre $ code $<?php
    if(isset($ _ COOKIE [ 'lang'])){
    $ lang = $ _COOKIE ['lang'];
    } elseif(isset($ _ GET ['lang'])){
    $ lang = $ _GET ['lang'];
    } else {
    $ lang ='english';

    include(language / $ lang.php);


    www.example.com/index.php?lang = .. / uploads / my_evil_image.jpg p>



    `name` VARCHAR(64)NOT NULL,
    `original_name` VARCHAR(64)NOT NULL,
    ` mime_type` VARCHAR(20)NOT NULL,
    PRIMARY KEY(`id`)


    if(!empty($ _ POST ['upload'])&&!empty($ _ FILES ['image'])&& amp ; $ _FILES ['image'] ['error'] == 0)){

    $ uploaddir ='uploads /';
    $ b $ *生成随机文件名和扩展名* /
    函数tempnam_sfx($ path,$ suffix){
    do {
    $ file = $ path。/ 。.mt_rand()$后缀;
    $ fp = @fopen($ file,'x');
    while(!$ fp);

    fclose($ fp);

    $ b / *带GD库的过程映像* /
    $ verifyimg = getimagesize($ _ FILES ['image'] ['tmp_name']);
    $ b $ *确保MIME类型是图片* /
    $ pattern =#^(image /)[^ \\\\\\\\\\\\\\\\\\\\\'
    $ b $ if(!preg_match($ pattern,$ verifyimg ['mime']){
    die(Only image files are allowed!);

    / *重命名图像和扩展名* /
    $ uploadfile = tempnam_sfx($ uploaddir,.tmp);

    / *将文件上传到安全目录使用新名称和扩展名* /
    if(move_uploaded_file($ _ FILES ['image'] ['tmp_name'],$ uploadfile)){

    / *使用PDO设置数据库连接* /
    $ dbhost =localhost;
    $ dbuser =;
    $ dbpass =;
    $ dbname =;

    $ dsn ='mysql:host ='。$ dbhost。'; dbname ='。$ dbname;

    $ options = array(
    PDO :: ATTR_PERSISTENT => true,

    try {
    $ db =新的PDO($ dsn,$ dbuser,$ dbpass,$ options);
    catch(PDOException $ e){
    die(Error !:)。 $ E->的getMessage());
    $ *
    $ * / *设置查询* /
    $ b $ *准备查询* /
    $ db-> prepare($ query);
    $ b / *绑定参数* /
    $ db-> bindParam(':name',basename($ uploadfile));
    $ db-> bindParam(':oriname',basename($ _ FILES ['image'] ['name']));
    $ db-> bindParam(':mime',$ _FILES ['image'] ['type']);
    $ b $ *执行查询* /
    $ db-> execute();

    catch(PDOException $ e){
    unlink($ uploadfile);

    die(Error !:。$ e-> getMessage());
    } else {
    die(Image Upload failed!);



  • 我们已经使用GD库处理图像

  • 我们检查了图片的MIME类型

  • 我们重命名了文件名并更改了扩展名

  • 新的和原始的文件名在我们的数据库中

  • 我们也保存了我们的数据库中的MIME类型


    $我们只需使用数据库的id列uploaddir ='上传/';
    $ id = 1;

    设置与PDO的数据库连接* /
    $ dbhost =localhost;
    $ dbuser =;
    $ dbpass =;
    $ dbname =;

    $ dsn ='mysql:host ='。$ dbhost。'; dbname ='。$ dbname;

    $ options = array(
    PDO :: ATTR_PERSISTENT => true,

    $ db =新的PDO($ dsn,$ dbuser,$ dbpass,$ options);

    catch(PDOException $ e){
    die(Error !:。$ e-> getMessage());

    $ b / *设置查询* /
    $ query ='SELECT name,original_name,mime_type FROM uploads WHERE id =:id';
    $ b $ *准备查询* /
    $ db-> prepare($ query);
    $ b $ *绑定参数* /
    $ db-> bindParam(':id',$ id);
    $ b $ *执行查询* /
    $ db-> execute();
    $ result = $ db-> fetch(PDO :: FETCH_ASSOC);

    catch(PDOException $ e){
    die(Error !:。$ e-> getMessage());

    / *获取原始文件名* /
    $ newfile = $ result ['original_name'];
    $ b $ *发送头文件到访问者* /
    头('Content-Description:File Transfer');
    header('Content-Disposition:attachment; filename ='。basename($ newfile));
    header('Content-Length:'。filesize($ uploaddir。$ result ['name']));
    header(Content-Type:。$ result ['mime_type']);
    readfile($ uploaddir。$ result ['name']);

    感谢这个脚本,访问者可以查看图像或者下载它的原始文件名。但是,他不能直接访问服务器上的文件,也不能欺骗你的服务器访问他/她的文件,因为他无法知道它是哪个文件。 (S)他不能强迫你的上传目录,因为它只是不允许任何人访问目录,除了服务器本身。



    ImageUpload Class




    I don't know if this going to happen, but I will try it.

    For past hour I did research on image upload safety. I learned that there a lot of functions to test the upload.

    In my project, I need to be safe with images uploaded. There also may be a really big amount of it and it may require a lot of bandwidth, so buying an API is not an option.

    So I decided to get a full PHP script for REALLY secure image upload. I also think it will help for many of people out there, because it's impossible to find really secure one. But I am not expert in php, so it's really headache for me to add some functions, so I will ask for this community help to create one full script of REALLY secure image upload.

    Really great topics about that are here (however, they are just telling what is needed to do the trick, but not how to do this, and as I said I am not a master on PHP, so I am not able to do this all by myself):PHP image upload security check listhttps://security.stackexchange.com/questions/32852/risks-of-a-php-image-upload-form

    In summary, they are telling that this is what is needed for security image upload (I will quote from the above pages):

    Here's a big part of it, but still that's not all. (If you know something more which could help to make the upload even safier, please share.)


    • Main PHP:

      function uploadFile ($file_field = null, $check_image = false, $random_name = false) {
      //Config Section
      //Set file upload path
      $path = 'uploads/'; //with trailing slash
      //Set max file size in bytes
      $max_size = 1000000;
      //Set default file extension whitelist
      $whitelist_ext = array('jpeg','jpg','png','gif');
      //Set default file type whitelist
      $whitelist_type = array('image/jpeg', 'image/jpg', 'image/png','image/gif');
      //The Validation
      // Create an array to hold any output
      $out = array('error'=>null);
      if (!$file_field) {
        $out['error'][] = "Please specify a valid form field name";
      if (!$path) {
        $out['error'][] = "Please specify a valid upload path";
      if (count($out['error'])>0) {
        return $out;
      //Make sure that there is a file
      if((!empty($_FILES[$file_field])) && ($_FILES[$file_field]['error'] == 0)) {
      // Get filename
      $file_info = pathinfo($_FILES[$file_field]['name']);
      $name = $file_info['filename'];
      $ext = $file_info['extension'];
      //Check file has the right extension
      if (!in_array($ext, $whitelist_ext)) {
        $out['error'][] = "Invalid file Extension";
      //Check that the file is of the right type
      if (!in_array($_FILES[$file_field]["type"], $whitelist_type)) {
        $out['error'][] = "Invalid file Type";
      //Check that the file is not too big
      if ($_FILES[$file_field]["size"] > $max_size) {
        $out['error'][] = "File is too big";
      //If $check image is set as true
      if ($check_image) {
        if (!getimagesize($_FILES[$file_field]['tmp_name'])) {
          $out['error'][] = "Uploaded file is not a valid image";
      //Create full filename including path
      if ($random_name) {
        // Generate random filename
        $tmp = str_replace(array('.',' '), array('',''), microtime());
        if (!$tmp || $tmp == '') {
          $out['error'][] = "File must have a name";
        $newname = $tmp.'.'.$ext;
      } else {
          $newname = $name.'.'.$ext;
      //Check if file already exists on server
      if (file_exists($path.$newname)) {
        $out['error'][] = "A file with this name already exists";
      if (count($out['error'])>0) {
        //The file has not correctly validated
        return $out;
      if (move_uploaded_file($_FILES[$file_field]['tmp_name'], $path.$newname)) {
        $out['filepath'] = $path;
        $out['filename'] = $newname;
        return $out;
      } else {
        $out['error'][] = "Server Error!";
       } else {
        $out['error'][] = "No file uploaded";
        return $out;
      if (isset($_POST['submit'])) {
       $file = uploadFile('file', true, true);
       if (is_array($file['error'])) {
        $message = '';
        foreach ($file['error'] as $msg) {
        $message .= '<p>'.$msg.'</p>';
      } else {
       $message = "File uploaded successfully".$newname;
       echo $message;

    • And the form:

      <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" enctype="multipart/form-data" name="form1" id="form1">
      <input name="file" type="file" id="imagee" />
      <input name="submit" type="submit" value="Upload" />

    So, what I am asking is to help by posting snippets of codes which will help me (and everyone else) to make this Image Upload Script to make super secure.Or by sharing/creating a full script with all the snippets added.


    When you start working on a secure image upload script, there are many things to considder. Now I'm no where near an expert on this, but I've been asked to develop this once in the past. I'm gonna walk through the entire process I've been through here so you can follow along. For this I'm gonna start with a very basic html form and php script that handles the files.

    HTML form:

    <form name="upload" action="upload.php" method="POST" enctype="multipart/form-data">
        Select image to upload: <input type="file" name="image">
        <input type="submit" name="upload" value="upload">

    PHP file:

    $uploaddir = 'uploads/';
    $uploadfile = $uploaddir . basename($_FILES['image']['name']);
    if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
        echo "Image succesfully uploaded.";
    } else {
        echo "Image uploading failed.";

    First problem: File types
    Attackers don't have to use the form on your website to upload files to your server. POST requests can be intercepted in a number of ways. Think about browser addons, proxies, Perl scripts. No matter how hard we try, we can't prevent an attacker from trying to upload something (s)he isn't supposed to. So all of our security has to be done serverside.

    The first problem is file types. In the script above an attacker could upload anything (s)he wants, like a php script for example, and follow a direct link to execute it. So to prevent this, we implement Content-type verification:

    if($_FILES['image']['type'] != "image/png") {
        echo "Only PNG images are allowed!";
    $uploaddir = 'uploads/';
    $uploadfile = $uploaddir . basename($_FILES['image']['name']);
    if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
        echo "Image succesfully uploaded.";
    } else {
        echo "Image uploading failed.";

    Unfortunetely this isn't enough. As I mentioned before, the attacker has full control over the request. Nothing will prevent him/her from modifying the request headers and simply change the Content type to "image/png". So instead of just relying on the Content-type header, it would be better to also validate the content of the uploaded file. Here's where the php GD library comes in handy. Using getimagesize(), we'll be processing the image with the GD library. If it isn't an image, this will fail and therefor the entire upload will fail:

    $verifyimg = getimagesize($_FILES['image']['tmp_name']);
    if($verifyimg['mime'] != 'image/png') {
        echo "Only PNG images are allowed!";
    $uploaddir = 'uploads/';
    $uploadfile = $uploaddir . basename($_FILES['image']['name']);
    if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
        echo "Image succesfully uploaded.";
    } else {
        echo "Image uploading failed.";

    We're still not there yet though. Most image file types allow text comments added to them. Again, nothing prevents the attacker from adding some php code as a comment. The GD library will evaluate this as a perfectly valid image. The PHP interpreter would completely ignore the image and run the php code in the comment. It's true that it depends on the php configuration which file extensions are processed by the php interpreter and which not, but since there are many developers out there that have no control over this configuration due to the use of a VPS, we can't assume the php interpreter won't process the image. This is why adding a file extension white list isn't safe enough either.

    The solution to this would be to store the images in a location where an attacker can't access the file directly. This could be outside of the document root or in a directory protected by a .htaccess file:

    order deny,allow
    deny from all
    allow from

    Edit: After talking with some other PHP programmers, I highly suggest using a folder outside of the document root, because htaccess isn't always reliable.

    We still need the user or any other visitor to be able to view the image though. So we'll use php to retrieve the image for them:

    $uploaddir = 'uploads/';
    $name = $_GET['name']; // Assuming the file name is in the URL for this example

    Second problem: Local file inclusion attacks
    Although our script is reasonably secure by now, we can't assume the server doesn't suffer from other vulnerabilities. A common security vulnerability is known as Local file inclusion. To explain this I need to add an example code:

    if(isset($_COOKIE['lang'])) {
       $lang = $_COOKIE['lang'];
    } elseif (isset($_GET['lang'])) {
       $lang = $_GET['lang'];
    } else {
       $lang = 'english';

    In this example we're talking about a multi language website. The sites language is not something considdered to be "high risk" information. We try to get the visitors prefered language through a cookie or a GET request and include the required file based on it. Now considder what will happen when the attacker enters the following url:


    PHP will include the file uploaded by the attacker bypassing the fact that (s)he can't access the file directly and we're back at square one.

    The solution to this problem is to make sure the user doesn't know the filename on the server. Instead, we'll change the file name and even the extension using a database to keep track of it:

    CREATE TABLE `uploads` (
        `name` VARCHAR(64) NOT NULL,
        `original_name` VARCHAR(64) NOT NULL,
        `mime_type` VARCHAR(20) NOT NULL,
        PRIMARY KEY (`id`)

    if(!empty($_POST['upload']) && !empty($_FILES['image']) && $_FILES['image']['error'] == 0)) {
        $uploaddir = 'uploads/';
        /* Generates random filename and extension */
        function tempnam_sfx($path, $suffix){
            do {
                $file = $path."/".mt_rand().$suffix;
                $fp = @fopen($file, 'x');
            return $file;
        /* Process image with GD library */
        $verifyimg = getimagesize($_FILES['image']['tmp_name']);
        /* Make sure the MIME type is an image */
        $pattern = "#^(image/)[^\s\n<]+$#i";
        if(!preg_match($pattern, $verifyimg['mime']){
            die("Only image files are allowed!");
        /* Rename both the image and the extension */
        $uploadfile = tempnam_sfx($uploaddir, ".tmp");
        /* Upload the file to a secure directory with the new name and extension */
        if (move_uploaded_file($_FILES['image']['tmp_name'], $uploadfile)) {
            /* Setup a database connection with PDO */
            $dbhost = "localhost";
            $dbuser = "";
            $dbpass = "";
            $dbname = "";
            // Set DSN
            $dsn = 'mysql:host='.$dbhost.';dbname='.$dbname;
            // Set options
            $options = array(
                PDO::ATTR_PERSISTENT    => true,
            try {
                $db = new PDO($dsn, $dbuser, $dbpass, $options);
            catch(PDOException $e){
                die("Error!: " . $e->getMessage());
            /* Setup query */
            $query = 'INSERT INTO uploads (name, original_name, mime_type) VALUES (:name, :oriname, :mime)';
            /* Prepare query */
            /* Bind parameters */
            $db->bindParam(':name', basename($uploadfile));
            $db->bindParam(':oriname', basename($_FILES['image']['name']));
            $db->bindParam(':mime', $_FILES['image']['type']);
            /* Execute query */
            try {
            catch(PDOException $e){
                // Remove the uploaded file
                die("Error!: " . $e->getMessage());
        } else {
            die("Image upload failed!");

    So now we've done the following:

    • We've created a secure place to save the images
    • We've processed the image with the GD library
    • We've checked the image MIME type
    • We've renamed the file name and changed the extension
    • We've saved both the new and original filename in our database
    • We've also saved the MIME type in our database

    We still need to be able to display the image to visitors. We simply use the id column of our database to do this:

    $uploaddir = 'uploads/';
    $id = 1;
    /* Setup a database connection with PDO */
    $dbhost = "localhost";
    $dbuser = "";
    $dbpass = "";
    $dbname = "";
    // Set DSN
    $dsn = 'mysql:host='.$dbhost.';dbname='.$dbname;
    // Set options
    $options = array(
        PDO::ATTR_PERSISTENT    => true,
    try {
        $db = new PDO($dsn, $dbuser, $dbpass, $options);
    catch(PDOException $e){
        die("Error!: " . $e->getMessage());
    /* Setup query */
    $query = 'SELECT name, original_name, mime_type FROM uploads WHERE id=:id';
    /* Prepare query */
    /* Bind parameters */
    $db->bindParam(':id', $id);
    /* Execute query */
    try {
        $result = $db->fetch(PDO::FETCH_ASSOC);
    catch(PDOException $e){
        die("Error!: " . $e->getMessage());
    /* Get the original filename */
    $newfile = $result['original_name'];
    /* Send headers and file to visitor */
    header('Content-Description: File Transfer');
    header('Content-Disposition: attachment; filename='.basename($newfile));
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($uploaddir.$result['name']));
    header("Content-Type: " . $result['mime_type']);

    Thanks to this script the visitor will be able to view the image or download it with its original filename. However, (s)he can't access the file on your server direcly nor will (s)he be able to fool your server to access the file for him/her as (s)he has no way of knowing which file it is. (S)he can't brute force your upload directory either as it simply doesn't allow anyone to access the directory except the server itself.

    And that concludes my secure image upload script.

    I'd like to add that I didn't include a maximum file size into this script, but you should easily be able to do that yourself.

    ImageUpload Class
    Due to the high demand of this script, I've writting an ImageUpload Class that should make it a lot easier for all of you to securely handle images uploaded by your website visitors. The class can handle both single and multiple files at once, and provides you with additional features like displaying, downloading and deleting images.

    Since the code is simply to large to post here, you can download the class from MEGA here:

    Download ImageUpload Class

    Just read the README.txt and follow the instructions.


