PHP提供了两个方便的函数以减轻这些理论上的风险:
is_uploaded_file( )
move_uploaded_file( )
如果你需要确保tmp_name中的文件是一个上传的文件,你可以用is_uploaded_file( ):
CODE:
<?php
$filename = $_FILES['attachment']['tmp_name'];
if (is_uploaded_file($filename))
{
/* $_FILES['attachment']['tmp_name'] is an uploaded file. */
}
?>
如果你希望只把上传的文件移到一个固定位置,你可以使用move_uploaded_file( ):CODE:
<?php
$old_filename = $_FILES['attachment']['tmp_name'];
$new_filename = '/path/to/attachment.txt';
if (move_uploaded_file($old_filename, $new_filename))
{
/* $old_filename is an uploaded file, and the move was successful. */
}
?>
最后你可以用 filesize( ) 来校验文件的大小:
CODE:
<?php
$filename = $_FILES['attachment']['tmp_name'];
if (is_uploaded_file($filename))
{
$size = filesize($filename);
}
?>
这些安全措施的目的是加上一层额外的安全保护层。最佳的方法是永远尽可能少地去信任。
