PHP图像上传安全检查清单 [英] PHP image upload security check list
问题描述
我正在编写一个脚本来将图像上传到我的应用程序.以下安全步骤是否足以使应用程序从脚本角度安全?
I am programming a script to upload images to my application. Are the following security steps enough to make the application safe from the script side?
- 使用.httaccess禁止PHP在上传文件夹中运行.
- 如果文件名包含字符串"php",则不允许上传.
- 仅允许扩展名:jpg,jpeg,gif和png.
- 仅允许使用图像文件类型.
- 禁止使用两种文件类型的图像.
- 更改图像名称.
- 上传到子目录而不是根目录.
这是我的脚本:
$filename=$_FILES['my_files']['name'];
$filetype=$_FILES['my_files']['type'];
$filename = strtolower($filename);
$filetype = strtolower($filetype);
//check if contain php and kill it
$pos = strpos($filename,'php');
if(!($pos === false)) {
die('error');
}
//get the file ext
$file_ext = strrchr($filename, '.');
//check if its allowed or not
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('not allowed extension,please upload images only');
}
//check upload type
$pos = strpos($filetype,'image');
if($pos === false) {
die('error 1');
}
$imageinfo = getimagesize($_FILES['my_files']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg'&& $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('error 2');
}
//check double file type (image with comment)
if(substr_count($filetype, '/')>1){
die('error 3')
}
// upload to upload direcory
$uploaddir = 'upload/'.date("Y-m-d").'/' ;
if (file_exists($uploaddir)) {
} else {
mkdir( $uploaddir, 0777);
}
//change the image name
$uploadfile = $uploaddir . md5(basename($_FILES['my_files']['name'])).$file_ext;
if (move_uploaded_file($_FILES['my_files']['tmp_name'], $uploadfile)) {
echo "<img id=\"upload_id\" src=\"".$uploadfile."\"><br />";
} else {
echo "error";
}
欢迎任何新提示:)
推荐答案
使用GD(或Imagick)重新处理图像并保存处理后的图像.所有其他的仅仅是乐趣让黑客感到无聊.
Re-process the image using GD (or Imagick) and save the processed image. All others are just fun boring for hackers.
正如rr所指出的,使用move_uploaded_file()进行任何上传.
And as rr pointed out, use move_uploaded_file() for any upload.
后期顺便说一句,您希望对上传文件夹有严格的限制.这些地方是发生许多攻击的黑暗角落之一.这对于任何类型的上载和任何编程语言/服务器均有效.检查 https://www.owasp.org/index.php/Unrestricted_File_Upload
Late By the way, you'd want to be very restrictive about your upload folder. Those places are one of the dark corners where many exploits happen. This is valid for any type of upload and any programming language/server. Check https://www.owasp.org/index.php/Unrestricted_File_Upload
这篇关于PHP图像上传安全检查清单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
