<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <HTML ><HEAD ><TITLE >is_uploaded_file</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK REL="HOME" TITLE="PHP 手册" HREF="index.html"><LINK REL="UP" TITLE="Filesystem 文件系统函数" HREF="ref.filesystem.html"><LINK REL="PREVIOUS" TITLE="is_readable" HREF="function.is-readable.html"><LINK REL="NEXT" TITLE="is_writable" HREF="function.is-writable.html"><META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8"></HEAD ><BODY CLASS="refentry" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE SUMMARY="Header navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" >PHP 手册</TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="function.is-readable.html" ACCESSKEY="P" >上一页</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="function.is-writable.html" ACCESSKEY="N" >下一页</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><H1 ><A NAME="function.is-uploaded-file" ></A >is_uploaded_file</H1 ><DIV CLASS="refnamediv" ><A NAME="AEN54089" ></A ><P > (PHP 3 >= 3.0.17, PHP 4 >= 4.0.3, PHP 5)</P >is_uploaded_file -- 判断文件是否是通过 HTTP POST 上传的</DIV ><DIV CLASS="refsect1" ><A NAME="AEN54092" ></A ><H2 >说明</H2 >bool <B CLASS="methodname" >is_uploaded_file</B > ( string filename )<BR ></BR ><P > 如果 <CODE CLASS="parameter" >filename</CODE > 所给出的文件是通过 HTTP POST 上传的则返回 <TT CLASS="constant" ><B >TRUE</B ></TT >。这可以用来确保恶意的用户无法欺骗脚本去访问本不能访问的文件,例如 <TT CLASS="filename" >/etc/passwd</TT >。 </P ><P > 这种检查显得格外重要,如果上传的文件有可能会造成对用户或本系统的其他用户显示其内容的话。 </P ><P > 为了能使 <B CLASS="function" >is_uploaded_file()</B > 函数正常工作,必段指定类似于 $_FILES['userfile']['tmp_name'] 的变量,而在从客户端上传的文件名 $_FILES['userfile']['name'] 不能正常运作。 </P ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN54107" ></A ><P ><B >例 1. <B CLASS="function" >is_uploaded_file()</B > 例子</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><code><font color="#000000"> <font color="#0000BB"><?php<br /><br /></font><font color="#007700">if (</font><font color="#0000BB">is_uploaded_file</font><font color="#007700">(</font><font color="#0000BB">$_FILES</font><font color="#007700">[</font><font color="#DD0000">'userfile'</font><font color="#007700">][</font><font color="#DD0000">'tmp_name'</font><font color="#007700">])) {<br /> echo </font><font color="#DD0000">"File "</font><font color="#007700">. </font><font color="#0000BB">$_FILES</font><font color="#007700">[</font><font color="#DD0000">'userfile'</font><font color="#007700">][</font><font color="#DD0000">'name'</font><font color="#007700">] .</font><font color="#DD0000">" uploaded successfully.\n"</font><font color="#007700">;<br /> echo </font><font color="#DD0000">"Displaying contents\n"</font><font color="#007700">;<br /> </font><font color="#0000BB">readfile</font><font color="#007700">(</font><font color="#0000BB">$_FILES</font><font color="#007700">[</font><font color="#DD0000">'userfile'</font><font color="#007700">][</font><font color="#DD0000">'tmp_name'</font><font color="#007700">]);<br />} else {<br /> echo </font><font color="#DD0000">"Possible file upload attack: "</font><font color="#007700">;<br /> echo </font><font color="#DD0000">"filename '"</font><font color="#007700">. </font><font color="#0000BB">$_FILES</font><font color="#007700">[</font><font color="#DD0000">'userfile'</font><font color="#007700">][</font><font color="#DD0000">'tmp_name'</font><font color="#007700">] . </font><font color="#DD0000">"'."</font><font color="#007700">;<br />}<br /><br /></font><font color="#0000BB">?></font> </font> </code></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE ><P > <B CLASS="function" >is_uploaded_file()</B > 仅可用于 PHP 3 的 3.0.16 版之后,以及 PHP 4 的 4.0.2 版之后。如果执意要用老版本,可以用下面的函数来保护自己: <DIV CLASS="note" ><BLOCKQUOTE CLASS="note" ><P ><B >注意: </B > 以下例子<SPAN CLASS="emphasis" ><I CLASS="emphasis" >不能</I ></SPAN >用于 PHP 4 的 4.0.2 版之后。它依赖的 PHP 内部函数在该版本之后改变了。 </P ></BLOCKQUOTE ></DIV > </P ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" CLASS="EXAMPLE" ><TR ><TD ><DIV CLASS="example" ><A NAME="AEN54116" ></A ><P ><B >例 2. <B CLASS="function" >is_uploaded_file()</B > 可运行于 PHP 4 < 4.0.3 的例子</B ></P ><TABLE BORDER="0" BGCOLOR="#E0E0E0" CELLPADDING="5" ><TR ><TD ><code><font color="#000000"> <font color="#0000BB"><?php<br /></font><font color="#FF8000">/* Userland test for uploaded file. */<br /></font><font color="#007700">function </font><font color="#0000BB">is_uploaded_file_4_0_2</font><font color="#007700">(</font><font color="#0000BB">$filename</font><font color="#007700">)<br />{<br /> if (!</font><font color="#0000BB">$tmp_file </font><font color="#007700">= </font><font color="#0000BB">get_cfg_var</font><font color="#007700">(</font><font color="#DD0000">'upload_tmp_dir'</font><font color="#007700">)) {<br /> </font><font color="#0000BB">$tmp_file </font><font color="#007700">= </font><font color="#0000BB">dirname</font><font color="#007700">(</font><font color="#0000BB">tempnam</font><font color="#007700">(</font><font color="#DD0000">''</font><font color="#007700">, </font><font color="#DD0000">''</font><font color="#007700">));<br /> }<br /> </font><font color="#0000BB">$tmp_file </font><font color="#007700">.= </font><font color="#DD0000">'/' </font><font color="#007700">. </font><font color="#0000BB">basename</font><font color="#007700">(</font><font color="#0000BB">$filename</font><font color="#007700">);<br /> </font><font color="#FF8000">/* User might have trailing slash in php.ini... */<br /> </font><font color="#007700">return (</font><font color="#0000BB">ereg_replace</font><font color="#007700">(</font><font color="#DD0000">'/+'</font><font color="#007700">, </font><font color="#DD0000">'/'</font><font color="#007700">, </font><font color="#0000BB">$tmp_file</font><font color="#007700">) == </font><font color="#0000BB">$filename</font><font color="#007700">);<br />}<br /><br /></font><font color="#FF8000">/* This is how to use it, since you also don't have<br /> * move_uploaded_file() in these older versions: */<br /></font><font color="#007700">if (</font><font color="#0000BB">is_uploaded_file_4_0_2</font><font color="#007700">(</font><font color="#0000BB">$HTTP_POST_FILES</font><font color="#007700">[</font><font color="#DD0000">'userfile'</font><font color="#007700">])) {<br /> </font><font color="#0000BB">copy</font><font color="#007700">(</font><font color="#0000BB">$HTTP_POST_FILES</font><font color="#007700">[</font><font color="#DD0000">'userfile'</font><font color="#007700">], </font><font color="#DD0000">"/place/to/put/uploaded/file"</font><font color="#007700">);<br />} else {<br /> echo </font><font color="#DD0000">"Possible file upload attack: filename '$HTTP_POST_FILES</font><font color="#007700">[</font><font color="#DD0000">userfile</font><font color="#007700">]</font><font color="#DD0000">'."</font><font color="#007700">;<br />}<br /></font><font color="#0000BB">?></font> </font> </code></TD ></TR ></TABLE ></DIV ></TD ></TR ></TABLE ><P > 参见 <A HREF="function.move-uploaded-file.html" ><B CLASS="function" >move_uploaded_file()</B ></A >,以及<A HREF="features.file-upload.html" >文件上传处理</A >一章中的简单使用例子。 </P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE SUMMARY="Footer navigation table" WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="function.is-readable.html" ACCESSKEY="P" >上一页</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" ACCESSKEY="H" >起始页</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="function.is-writable.html" ACCESSKEY="N" >下一页</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >is_readable</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="ref.filesystem.html" ACCESSKEY="U" >上一级</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >is_writable</TD ></TR ></TABLE ></DIV ></BODY ></HTML >