阻止执行上传的 php 文件? [英] Prevent execution of uploaded php files?
本文介绍了阻止执行上传的 php 文件?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在我的项目中,用户可以上传任何类型的文件.我需要确保执行可以由 php 解析的上传文件的安全性(*.php、*.html 等)
In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)
有没有办法告诉 apache 不要在 web/uploads 中使用 php 解析任何文件,而只是将它们显示为纯文本?还有哪些选择?
Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?
推荐答案
将它们都放在同一个文件夹下,并在目录的 .htaccess
文件中设置这一行:
Keep them all under the same folder and set this line in the directory's .htaccess
file:
php_flag engine off
这也将处理其他漏洞,例如在 .gif 文件中嵌入 PHP 代码.
That will also take care of other exploits such as embedding PHP code in .gif files.
这篇关于阻止执行上传的 php 文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文