永远不要使用 $_FILES..['type'].其中包含的信息根本没有经过验证，它是用户定义的值.自己测试类型.对于图片，exif_imagetype 通常是一个不错的选择选择:

Never use $_FILES..['type']. The information contained in it is not verified at all, it's a user-defined value. Test the type yourself. For images, exif_imagetype is usually a good choice:

$allowedTypes = array(IMAGETYPE_PNG, IMAGETYPE_JPEG, IMAGETYPE_GIF);
$detectedType = exif_imagetype($_FILES['fupload']['tmp_name']);
$error = !in_array($detectedType, $allowedTypes);

或者，finfo 函数 也很棒，如果您的服务器支持它们.

Alternatively, the finfo functions are great, if your server supports them.