阻止执行上传的 php 文件? [英] Prevent execution of uploaded php files?

问题描述

在我的项目中，用户可以上传任何类型的文件.我需要确保执行可以由 php 解析的上传文件的安全性(*.php、*.html 等)

In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)

有没有办法告诉 apache 不要在 web/uploads 中使用 php 解析任何文件，而只是将它们显示为纯文本?还有哪些选择?

Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?

推荐答案

将它们都放在同一个文件夹下，并在目录的 .htaccess 文件中设置这一行:

Keep them all under the same folder and set this line in the directory's .htaccess file:

php_flag engine off

这也将处理其他漏洞，例如在 .gif 文件中嵌入 PHP 代码.

That will also take care of other exploits such as embedding PHP code in .gif files.

这篇关于阻止执行上传的 php 文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！