วันเสาร์ที่ 27 กรกฎาคม พ.ศ. 2556
test2
Is this really an uploaded file?
The next thing you need to do is left out of more PHP instructions and books than
you can imagine, but it’s critical. At this point, despite whether or not you have a
real file, what your program has to work with is a file name. And that name is controlled
entirely by what your users put into their file input box. So if they’re tricky,
malicious, and thoroughly dishonest, they might try and put in a filename that does
upload a file on their system, but also just so happens to match one of the special
files on web servers that control things like, say, the passwords for users. (That file
is usually /etc/passwd).
You might think you must get your regular expressions on here and check for all kinds
of fancy filename characters, but there’s an easier way. PHP gives you a function
called is_uploaded_file that ensures that for a given name, that name references a
file uploaded with HTTP (the language of web browsers and HTML forms). In other
words, if the supplied name targets a file on your web server, this function will return
false, and you know that something’s fishy.
So you want to do something like this:
// Make sure we didn't have an error uploading the image
// Is this file the result of a valid upload?
is_uploaded_file($_FILES[$image_fieldname]['tmp_name'])
or handle_error("you were trying to do something naughty. Shame on you!",
"Uploaded request: file named " .
"'{$_FILES[$image_fieldname]['tmp_name']}'");
// Interact with MySQL
Breathing and Sleeping Matter
Any good programmer will tell you stories of at least a few
all-night hacking sessions. And odds are, those stories will be
tinged rosy, full of victories and excitement. But the truth of
the matter is that fatigue slows the brain down, and no programmer
is as effective on two hours of sleep as she is on six.
Bottom line: a tired brain isn’t as useful as a rested one. And,
because if you’ve been swimming in the pool of PHP programming
for seven chapters before this one, now you’re well into
the deep end. Chances are that you’re having to read at least
a few things twice, and some of this new code introduces not
just one or two new things, but three or four or five.
There’s nothing at all wrong with this, but if you’re getting worn
out, nobody wins by you plowing ahead. Take a few hours off,
ride your bike, jog a mile, or just set PHP aside for the night.
You’ll be stunned at how much clearer things seem after a bit
of rest from programming. Don’t think that rest and taking a
few moments to breathe out of sight of the keyboard are a
sign of weakness; rather, just the opposite.
test
Warning Watch your square brackets ([ ]) and parentheses carefully here; it’s really easy to get them
mixed up and cause a hard-to-find error.
But this code is a little longer, while the code without the if is just a little clearer.
Every bit of complexity you can save helps, so this is a nice trick to add to your
growing PHP toolkit.
You can actually check your code in action at this point. Visit create_user.html and
find an image file that’s bigger than 2 MB. Look for a photo in iPhoto or something
you’ve pulled straight off your camera. Select that image, and then try and submit
your form. You should get something like Figure 8-5 back.
Figure 8-5
Here’s one of those
beautiful situations where
a lot of hard work earlier
pays off later. Rather than
wading through your
code or even writing custom
PHP, you were able to
quickly hand off an error
to your handle_error
function and get a nice
response. Now multiply
that by the hundreds
(thousands?) of times
you’ll use handle_error,
and you’ll start to see the
value of having that utility
function written early
on in your PHP life.
Note You might have noticed that even though the image was rejected, your browser still uploads the
image—regardless of how big the image is, or what your maximum file size is. That’s because it’s only after
the image is uploaded that the size comparison is made. Sort of a bummer, but that’s a browser issue, and not
something you can fix with PHP.
This page is the result of your code finding an error code, and that error code being
matched up to an error in $php_errors—in this case, the image was larger than your
HTML allowed.
สมัครสมาชิก:
บทความ (Atom)