通过 PHP 上传图像和缩略图

发布于 2024-11-30 06:01:33 字数 527 浏览 0 评论 0原文

所以我需要一个非常简单的脚本来调整图像大小并在 PHP 中上传缩略图。请不要推荐库，因为我宁愿能够轻松地编辑它并从中学习。

我自己编写了一个小的 PHP 脚本来上传图像并以其在数据库中的 ID 命名它，并打算使拇指像在名称末尾添加“thumb”一样简单（例如 123thumb.jpg），但我试图在缩略图中工作却有点毁了它。

它看起来是这样的：

mysql_query('
    INSERT INTO art (
        artist,
        title,
        extension)
    VALUES (
        1,
        "Penguins",
        "'.end(explode('.',$_FILES['art']['name'])).'")') ;
move_uploaded_file($_FILES['art']['tmp_name'],'images/'.mysql_insert_id()..end(explode('.',$_FILES['art']['name']))

原文

So I need a very simple script to resize an image and upload the thumbnail in PHP. Please don't recommend a library because I'd rather be able to edit and learn from it with ease.

I had written a small PHP script on my own to upload an image and name it after its ID in the database and intended to make the thumb as simple as adding "thumb" to the end of the name (such as 123thumb.jpg), but I sort of ruined it trying to work in thumbnails.

Here's what it somewhat looked like:

mysql_query('
    INSERT INTO art (
        artist,
        title,
        extension)
    VALUES (
        1,
        "Penguins",
        "'.end(explode('.',$_FILES['art']['name'])).'")') ;
move_uploaded_file($_FILES['art']['tmp_name'],'images/'.mysql_insert_id()..end(explode('.',$_FILES['art']['name']))

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

是伱的 2024-12-07 06:01:33

糟糕的设计。 1. 没有对查询进行错误检查，并在查询中使用原始用户提供的数据，导致存在 SQL 注入漏洞。 2. 使用原始用户提供的文件名来存储文件，即使它前面确实有一个数据库 ID。 3. 盲目地假设插入查询有效，这样 msyql_insert_id 可能不会返回任何内容。 3. 盲目假设移动命令有效。

更好/更安全的方法是：

if ($_FILES['art']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['art']['error']);
}

$filename = mysql_real_escape_string(basename($_FILES['art']['name']));
mysql_query("INSERT .... VALUES (1, 'Penguins', '$filename', ...)") or die(mysql_error());

move_uploaded_files(...) or die("Failed to move file");

可以进行更多/更好的验证/错误处理，但这是比您的版本更安全/更可靠的东西的骨架。

Bad bad design. 1. No error checking on the query and using raw user-provided data in the query, leading to a gaping sql injection vulnerability. 2. Using raw user-provided filenames to store the files in, even if it does have a database ID prepended. 3. Blindly assuming the insert query worked, such that msyql_insert_id might not return anything. 3. blindly assuming the move command works.

A better/safer methodology is:

if ($_FILES['art']['error'] !== UPLOAD_ERR_OK) {
   die("Upload failed with error code " . $_FILES['art']['error']);
}

$filename = mysql_real_escape_string(basename($_FILES['art']['name']));
mysql_query("INSERT .... VALUES (1, 'Penguins', '$filename', ...)") or die(mysql_error());

move_uploaded_files(...) or die("Failed to move file");

There's more/better validation/error handling that can be done, but this is the skeleton of something far safer/more reliable than your version.

回复收藏 0 原文