用户上传文件的安全性 [英] Security of user uploaded files

问题描述

您好，


我将开始创建一个允许用户上传文件的脚本，然后再重新下载。我基本上会做以下事情：


- 上传的文件将被赋予一串随机数字/字母作为文件名并上传到文件夹。


- 随机文件名将与用户用户名一起存储在数据库中


- 当用户登录时，他们将看到他们的文件列表他们可以下载，他们将链接到网站上的相应文件。


唯一的问题是，如果他们获得链接，任何人都可以访问该文件。他们不太可能猜到文件名，但仍有可能性，所以我的问题是：


有没有办法让这个系统更安全，只允许相同用户再次下载文件？


上传的文件不包含敏感信息，但我当然不希望它落入某些人的手中。

解决方案

嗯，有趣的问题。


如果文件名是可猜测的，人们就可以访问它。


你可以做的就是在下载时不断更改文件名。


只需一个，


*订阅*

另一个选择是像SitePoint这样的（某些）发布者这样做。即使您知道文件名，也无法直接下载文件。


当您要下载时，您在登录后指明该文件。该网站随后将向您发送带有散列书名的链接的电子邮件。点击该链接只会将文件下载给您。


Ronald

您好。


你也可以考虑将文件放在Web根目录之外，并且只将PHP输出给已经登录的用户。


或者只是将文件放入数据库并从那里读取。

Hello,

I''m going to start making a script that will allow users to upload a file, then re download it later. I''ll basically be doing the following:

- The uploaded file will be given a string of random numbers / letters as the filename and uploaded to a folder.

- That random file name will be stored in the database along with the users username

- When the user logs in they will see a list of their files that they can download and they will link to the appropriate file on the site.

The only problem with this is that anyone will be able to access the file if they get the link. It is unlikely that they''d guess the file name but still there is a posibility so my question is:

Is there a way to make this system more secure, only allowing that same user to download the file again?

The files uploaded wont contain sensitive information however I certainly dont want it falling into the hands of certain people.

解决方案

Hm, interesting problem.

If the filename is guessable, people will be able to access it.

What you could do is keep changing the file name when downloaded.

Just a though,

*subscribing*

Another option is to do it as (some) publishers like SitePoint do it. You are here not able to download a file directly, even when you know the filename.

When you want to download you indicate that file after logging in. The site will then send you an e-mail with a link with the hashed bookname in it. Clicking that link only will download the file to you.

Ronald

Hi.

You could also consider putting the file outside the web root, and have PHP output it only to users that have logged in.

Or just put the file into the Database and read it from there.

这篇关于用户上传文件的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！