problem with uploading the images with php file up

2019-07-31 02:40发布

问题:

hi guys i am uploading the images using the @PhP file upload Method @ If i upload 10 Images at a time (Each Images is 2000 /3000 dimension). then the on click save function is not working. if i upload 5 images or less than five images then its working fine wats wrong with my coding i just include my php code with this post <input value="Save" type="submit" name="SubSave" id="SubSave" onClick="return changes();">

 if($_POST['SubSave'] == "Save"){
    $aid = $_GET['rid'];
 $updcount = $_POST['theValue'];


if($_SESSION["almgtype"]==1 || (GetUserNoPhoto($_SESSION["almgid"]))>(GetTotalPhotoCount1($_SESSION["almgid"],$aid))) {


  $uid = $_SESSION["almgid"];

 for($k=1;$k<=$updcount;$k++) { 
        //echo $k;
   echo $_FILES["uploadfile"]["type"];

if($_FILES["uploadfile".$k]["name"]!="") {

if(($_FILES["uploadfile".$k]["type"] == "image/gif") || ($_FILES["uploadfile".$k]["type"] == "image/jpeg")|| ($_FILES["uploadfile".$k]["type"] == "image/pjpeg") || ($_FILES["uploadfile".$k]["type"] == "image/png")) {

 if ($_FILES["uploadfile".$k]["error"] > 0)
  {
  echo "Error: " . $_FILES["uploadfile".$k]["error"] . "<br />";
  }
else
  {  
       move_uploaded_file($_FILES["uploadfile".$k]["tmp_name"],
      "photoalbum/" . $_FILES["uploadfile".$k]["name"]);
      $uploadfile =  "photoalbum/" . $_FILES["uploadfile".$k]["name"];
  } 
  $path  = $uploadfile;
  $checklist = "select * from amt_photos1 where aid = '".trim($aid)."' and uid = '".trim($uid)."' and path = '".trim($path)."'";
  $chkresult  = mysql_query($checklist);
  if(mysql_num_rows($chkresult) == 0) {
  $i = 0;
  $path =$uploadfile;
  $result = "insert into amt_photos1 set uid = '".trim($uid)."',
                                     aid = '".trim($aid)."',
                                     path = '".trim($path)."',
                                     status = '0',
                                     createdby = '".$_SESSION["almgid"]."',
                                     createddate = now()";

  $rowlist = mysql_query($result) or die("Error:(".mysql_error().")".mysql_error());


                } 
                /**********************  if file already exist means ******************************************/
                else {
                $err= "The Uploaded file name ".$path." Is already exisit in the Album. Rename It or try to add Any other Photos";

                    }
                /**********************  if file already exist means ******************************************/
                $path ="";
                $uploadfile = "";
                $i  = "";
                }  // file extention
                     else {
        $err= "Unable To Upload The File Please Check The File Extention.Try Again Later";
     }

                }
                }
                }



                } // if save close

回答1:

You probably need to change the maximum POST size in your php.ini configuration file (post_max_size setting).



回答2:

You can use the command phpinfo() to dump your configuration. Likely, as others have stated you need to increase the upload size and execution time.

These can be modified through a .htaccess file.

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_value max_execution_time 200
php_value max_input_time 200


回答3:

Just as a warning: Your upload handling script will make it utterly trivial to completely subvert your server:

  1. You blindly trust that the $_FILES[...]['type'] value is correctly set - this value is completely under the user's control, and they can stuff in "image/jpeg" and upload any type of file they want
  2. You blindly trust that the $_FILES[...]['filename'] value is correctly set - again, this value is completely under the user's control, and they can stuff in "hackme.php" if they want to
  3. You blindly write the file to your photoalbum directory, but don't check if the user-supplied filename contains pathing data

So, what happens if someone uploads the following file:

$_FILES['uploadfile0']['type'] = 'image/gif';
$_FILES['uploadfile0']['filename'] = '../pwn_me.php';

You've now happily put a user-provided PHP script ONTO YOUR WEBSERVER and they can now do anything they want.

On top of that, your database queries blindly insert the same data into the queries, leaving you wide open to SQL injection attacks. As well, you don't check for filename collisions until AFTER you've moved the file. So, someone could upload a malicious script, but only do it once for that particular filename. Congratulations, you've implemented versioned attacks on your server. You'll have "pwn_me.php", "pwn_me2.php", "pwn_me3.php", "my_little_pwnme.php", and so on.