PHP文件类型验证 - PHP File Type Validation

我编写了以下php函数来上传文件，但我很难处理允许的文件类型数组。如果我只指定一种文件类型，即image/png，它可以正常工作。如果我分配多个，那就不起作用。我使用in_array（）函数来确定允许的文件类型，但我不知道如何正确使用它。

谢谢！

function mcSingleFileUpload($mcUpFileName, $mcAllowedFileTypes, $mcFileSizeMax){
    if(!empty($mcUpFileName)){
        $mcIsValidUpload = true;
        // upload directory
        $mcUploadDir = UPLOAD_DIRECTORY;
        // current file properties
        $mcFileName = $_FILES[$mcUpFileName]['name'];
        $mcFileType = $_FILES[$mcUpFileName]['type'];
        $mcFileSize = $_FILES[$mcUpFileName]['size'];
        $mcTempFileName = $_FILES[$mcUpFileName]['tmp_name'];
        $mcFileError = $_FILES[$mcUpFileName]['error'];
        // file size limit
        $mcFileSizeLimit = $mcFileSizeMax;
        // convert bytes to kilobytes
        $mcBytesInKb = 1024;
        $mcFileSizeKb = round($mcFileSize / $mcBytesInKb, 2);
        // create array for allowed file types
        $mcAllowedFTypes = array($mcAllowedFileTypes);
        // create unique file name
        $mcUniqueFileName = date('m-d-Y').'-'.time().'-'.$mcFileName;
        // if file error
        if($mcFileError > 0)
        {
            $mcIsValidUpload = false;
            mcResponseMessage(true, 'File error!');
        }
        // if no file error
        if($mcFileError == 0)
        {
            // check file type
            if( !in_array($mcFileType, $mcAllowedFTypes) ){
                $mcIsValidUpload = false;
                mcResponseMessage(true, 'Invalid file type!');
            }
            // check file size
            if( $mcFileSize > $mcFileSizeLimit ){
                $mcIsValidUpload = false;
                mcResponseMessage(true, 'File exceeds maximum limit of '.$mcFileSizeKb.'kB');
            }
            // move uploaded file to assigned directory
            if($mcIsValidUpload == true){
                if(move_uploaded_file($mcTempFileName, $mcUploadDir.$mcUniqueFileName)){
                    mcResponseMessage(false, 'File uploaded successfully!');
                }
                else{
                    mcResponseMessage(true, 'File could not be uploaded!');
                }
            }
        }
    }
}
//mcRequiredFile('mcFileUpSingle','please select a file to upload!');
mcSingleFileUpload('mcFileUpSingle', 'image/png,image/jpg', 2097152);

更改此行：

$mcAllowedFTypes = array($mcAllowedFileTypes);

对此：

$mcAllowedFTypes = explode(',',$mcAllowedFileTypes);

不要依赖$_FILES中不安全的clent文件类型，从文件内容中获取它。

然后定义您允许的文件类型，检查上传文件类型是否在白名单中。

if(in_array(mime_type($file_path),$allowed_mime_types)){
    // save the file
}
$allowed_mime_types = array(
        'image/jpeg',
        'image/jpg',
        'image/png',
        'image/gif',
        'video/mp4'
);

/*
For PHP>=5.3.0, you can use php's `finfo_file`([finfo_file](https://www.php.net/manual/en/function.finfo-file.php)) function to get the file infomation about the file.
For PHP<5.3.0, you can use your's system's `file` command to get the file information.
*/
function mime_type($file_path)
{
    if (function_exists('finfo_open')) {            
        $finfo = new finfo(FILEINFO_MIME_TYPE, null);
        $mime_type = $finfo->file($file_path);
    }
    if (!$mime_type && function_exists('passthru') && function_exists('escapeshellarg')) {
        ob_start();
        passthru(sprintf('file -b --mime %s 2>/dev/null', escapeshellarg($file_path)), $return);
        if ($return > 0) {
            ob_end_clean();
            $mime_type = null;
        }
        $type = trim(ob_get_clean());
        if (!preg_match('#^([a-z0-9'-]+/[a-z0-9'-'.]+)#i', $type, $match)) {
            $mime_type = null;
        }
        $mime_type = $match[1];
    }
    return $mime_type;
}