PHP Upload文件增强安全性 [英] PHP Upload file enhance security

问题描述

嘿..我的问题是如何防止某人以您假装的扩展名上传病毒或某些恶意代码，例如，我有一个pdf文件上传器，任何人都可以使用pdf伪装上传二进制文件，有很多程序可以做到这一点

Hey.. my question is how to prevent someone upload a virus or some malicious code with the extension you pretend for example i have a pdf file uploader, anyone can upload a binary with pdf camouflage there are lots of programs to do that.

推荐答案

上传文件时会引起很多安全方面的问题.第一个问题是文件可能不是您想要的文件，在这种情况下为pdf.变量$_FILES['file_name']['type']由攻击者控制，可能从不受信任.通常使用漏洞利用代码或篡改数据来修改此值.

There are a number of secuirty concerns that arise with uploading files. The first problem is that the file might not be the file you want, in this case a pdf. The variable $_FILES['file_name']['type'] is controlled by the attacker can never be trusted. This value is commonly modified using exploit code or using tamperdata.

1)您的安全系统的第一步是确保文件具有.pdf扩展名:

1)The first step in your secuirty system is to make sure the file has a .pdf extension:

if("pdf"!=substr($fileName, strrpos($fileName, '.') + 1)){
   die("Invalid File Type");
}

2)接下来，您应该使用php filetype()函数.

2)Next you should check what file type it is using the php filetype() function.

3)一个严重的问题是这些PDF文件通常可以利用诸如缓冲区溢出之类的漏洞.在Adobe制造的软件中找到.这些PDF用于通过按下载驱动攻击来传播病毒.

3)A serious problem is that these PDF files can exploit vulnerabilities such as buffer overflows commonly found in software made by Adobe. These PDF's are used to spread viruses in a Drive By Download attack.

最好的解决方案是安装Web应用程序防火墙 Mod_Security .这将阻止像sql injection和xss这样的攻击击中您的Web应用程序.可以将Mod_Secuirty配置为使用

The best solution is to install the web application firewall Mod_Security. This will stop attacks like sql injection and xss from hitting your web application. Mod_Secuirty can be configured to scan all upload files for viruses using modsec-clamscan .

这篇关于PHP Upload文件增强安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！