PHP安全性和独特的命名约定 [英] PHP security and unique naming conventions

问题描述

命名用户上传的图像(例如头像)有什么问题:

Is anything wrong with naming images uploaded by users (for example avatars) like that:

/user_id-username.jpg

示例:

/1-feont.jpg

所有图像都有唯一的名称(因为user_id是主键)，但是安全性如何?有什么不好的影响吗?如果有，我应该改成什么惯例?

All images has unique name (becouse user_id is primary key), but what about security? Has that any bad influence? If has, what conventions should I do instead?

推荐答案

• 当您有同时上传的用户时，使用Ryan所建议的日期会失败
当用户可以更改其用户名时，
• 使用用户名失败. 失败"在这里有点难，但是您必须移动文件，而使用其他解决方案则不需要这些文件
• 如果ID是数据库中自动生成的自动增量ID，则使用 id 可解决所有并发问题.与 Kerrek SB 相对，我没有看到这样的问题，那就是在文件系统上的唯一标识符和图像之间建立了联系.我的意思是它是独一无二的，您可以使用它.
• Using the date as Ryan suggests fails when you have users that upload at the same time
• Using the username fails when users may change their username. "Fail" is a bit hard here, but you have to move the files around which is something that's not needed when using another solution
• Using the id solves all concurrency problems if the ID is an autogenerated auto-increment ID from your database. Opposed to Kerrek SB, I don't see a problem that this makes a connection between a unique identifier and an image on your file system. I mean it's unique and you can use it.

如果您不断公开使用ID，则使用ID还可以使用户轻松查找/链接其图像.另一方面，如果您在URL中仅包含用户名(如/profile/$username)，那么我也会在图像文件名中使用用户名，以保持一致.

Using the ID also makes it easy for your users to find/link their image if you constantly use the ID publicly. If you on the other hand have only the user names in URLs - like /profile/$username, then I'd use the username in the image file name, too - to be consistent.

关于安全性:如果您清理用户名，就可以了.只需确保它是唯一的，这样人们就不会覆盖彼此的名字(这意味着您需要对数据库中的用户名使用与图像文件名中的用户名相同的卫生规则).

About security: If you sanitize the username, all is fine. Just make sure that it's unique, so people can't overwrite each other's names (which means that you need to use the same sanitation rules for usernames in database as you use for usernames in image file names).

使用用户名作为图像名称还可以使您在手动查找图像时更轻松地找到图像，但是这种情况发生的频率可能不足以让您值得.

Having the username as image name also makes it "easier" to find an image if you manually need to find one, but that probably happens not often enough to be of worth for you.

总而言之，我将使用ID.

To summarize, I'd go with the ID.

这篇关于PHP安全性和独特的命名约定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！