$ _files Superglobal을 사용하여 파일 업로드 마스터 링에 대한 결정적인 안내서

文件上传的核心是验证错误、确认文件类型、重命名并安全移动文件。1. 首先检查 $_FILES['error'] 是否为 UPLOAD_ERR_OK；2. 使用 finfo 检测真实 MIME 类型而非信任客户端数据；3. 验证文件扩展名并限制允许的类型；4. 使用随机名称如 bin2hex(random_bytes(16)) 重命名文件防止路径遍历；5. 通过 move_uploaded_file() 将文件从临时目录移至安全的上传目录；6. 存储位置应尽量位于 web 根目录外，若需公开则禁用脚本执行；7. 对图像等文件可使用 GD 或 ImageMagick 重新处理以防范恶意内容；8. 始终在服务器端验证文件大小、类型和内容，确保配置中 file_uploads=On 且正确设置 upload_max_filesize 和 post_max_size；9. 处理多文件时重构 $_FILES 数组以便遍历；10. 永远不要直接使用用户提交的文件名或假设上传安全，所有输入都需视为不可信。遵循这些步骤可实现安全可靠的文件上传功能。

Handling file uploads in PHP using the $_FILES superglobal is a common task, but one that’s often misunderstood or implemented insecurely. When done right, it allows users to upload images, documents, and other files safely and efficiently. This guide walks you through everything you need to know about $_FILES, from basics to best practices.

What Is the $_FILES Superglobal?

When a user uploads a file via an HTML form, PHP stores information about that file in the $_FILES associative array. This superglobal is automatically populated when a form with enctype="multipart/form-data" is submitted.

Here’s a minimal upload form:

<form action="upload.php" method="POST" enctype="multipart/form-data">
    <input type="file" name="userfile">
    <button type="submit">Upload</button>
</form>

After submission, $_FILES['userfile'] will contain the following keys:

• name – The original name of the file on the user's machine.
• type – The MIME type (if provided by the browser).
• tmp_name – The temporary path where PHP stores the file on the server.
• size – File size in bytes.
• error – An error code (if any occurred during upload).

For example, after upload, $_FILES might look like:

$_FILES['userfile'] = [
    'name'     => 'photo.jpg',
    'type'     => 'image/jpeg',
    'tmp_name' => '/tmp/php/php5678.tmp',
    'size'     => 12345,
    'error'    => 0
];

Note: Never trust name, type, or any data directly from $_FILES. Always validate and sanitize.

How to Process a File Upload

After the form is submitted, your PHP script must check for errors, validate the file, and move it from the temporary directory to a permanent location.

Here’s a step-by-step example:

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $file = $_FILES['userfile'];

    // 1. Check for upload errors
    if ($file['error'] !== UPLOAD_ERR_OK) {
        switch ($file['error']) {
            case UPLOAD_ERR_INI_SIZE:
            case UPLOAD_ERR_FORM_SIZE:
                echo "File is too large.";
                break;
            default:
                echo "An error occurred during upload.";
        }
        exit;
    }

    // 2. Validate file type (example: allow only images)
    $allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
    if (!in_array($file['type'], $allowedTypes)) {
        echo "Invalid file type.";
        exit;
    }

    // 3. Validate file extension (extra safety)
    $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
    $allowedExtensions = ['jpg', 'jpeg', 'png', 'gif'];
    if (!in_array($ext, $allowedExtensions)) {
        echo "File extension not allowed.";
        exit;
    }

    // 4. Generate a safe filename
    $safeName = bin2hex(random_bytes(16)) . ".$ext";
    $uploadDir = 'uploads/';
    $destination = $uploadDir . $safeName;

    // 5. Move the file from temp to permanent location
    if (move_uploaded_file($file['tmp_name'], $destination)) {
        echo "File uploaded successfully: $safeName";
    } else {
        echo "Failed to move uploaded file.";
    }
}

Key points:

• Always check $file['error'] first.
• Use move_uploaded_file() — it’s safer than rename() because it validates that the file was actually uploaded via HTTP POST.
• Never use the original filename directly — it can be malicious.

Handling Multiple File Uploads

You can upload multiple files by using array-style names in the form:

<input type="file" name="userfiles[]" multiple>

In PHP, loop through the $_FILES array:

$files = $_FILES['userfiles'];

for ($i = 0; $i < count($files['name']); $i++) {
    $file = [
        'name'     => $files['name'][$i],
        'type'     => $files['type'][$i],
        'tmp_name' => $files['tmp_name'][$i],
        'size'     => $files['size'][$i],
        'error'    => $files['error'][$i]
    ];

    // Process each file as above
}

Alternatively, restructure the array for easier handling:

$restructured = [];
foreach ($files as $key => $values) {
    foreach ($values as $index => $value) {
        $restructured[$index][$key] = $value;
    }
}

Now you can iterate over $restructured like a normal array of files.

Security Best Practices

File uploads are a common attack vector. Follow these rules:

• Never trust MIME types from the client. Use finfo to detect the real type:

  $finfo = finfo_open(FILEINFO_MIME_TYPE);
  $mimeType = finfo_file($finfo, $file['tmp_name']);
  finfo_close($finfo);
  
  if (!in_array($mimeType, ['image/jpeg', 'image/png'])) {
      die("Invalid file content.");
  }

• Limit file size using upload_max_filesize and post_max_size in php.ini, and validate in PHP.

• Store uploads outside the web root when possible. If they must be public, put them in a dedicated directory with no script execution:

  # In .htaccess (Apache)
  php_flag engine off

• Rename files using random or hashed names to prevent path traversal or overwrites.

• Validate file content — especially for images, consider reprocessing them with GD or ImageMagick.

• Sanitize input, even though it’s a file — filenames can contain dangerous characters.

---

Common Pitfalls and Tips

• Check PHP configuration: Ensure file_uploads = On in php.ini.
• Large files: Adjust upload_max_filesize, post_max_size, and consider timeouts.
• Missing enctype: Without enctype="multipart/form-data", $_FILES will be empty.
• Temporary files: PHP automatically deletes them after the script ends — move them immediately.
• Error codes: Use constants like UPLOAD_ERR_OK, UPLOAD_ERR_NO_FILE, etc., for clarity.

---

Handling file uploads with $_FILES doesn’t have to be risky or confusing. By validating thoroughly, sanitizing inputs, and following secure practices, you can build reliable upload functionality. The key is never to assume the upload is safe — always verify on the server side.

Basically, check the error, confirm the file type, rename it, and move it securely. That’s the core of mastering $_FILES.

위 내용은 $ _files Superglobal을 사용하여 파일 업로드 마스터 링에 대한 결정적인 안내서의 상세 내용입니다. 자세한 내용은 PHP 중국어 웹사이트의 기타 관련 기사를 참조하세요!