PHP上传文件增强安全性 [英] PHP Upload file enhance security
问题描述
嘿..我的问题是如何防止有人上传病毒或一些带有你假装扩展名的恶意代码,例如我有一个 pdf 文件上传器,任何人都可以上传带有 pdf 伪装的二进制文件,有很多程序可以做到这一点.
Hey.. my question is how to prevent someone upload a virus or some malicious code with the extension you pretend for example i have a pdf file uploader, anyone can upload a binary with pdf camouflage there are lots of programs to do that.
推荐答案
上传文件时会出现许多安全问题.第一个问题是该文件可能不是您想要的文件,在本例中为 pdf.变量 $_FILES['file_name']['type'] 由攻击者控制,永远不可信任.该值通常使用漏洞利用代码或使用篡改数据进行修改.
There are a number of secuirty concerns that arise with uploading files. The first problem is that the file might not be the file you want, in this case a pdf. The variable $_FILES['file_name']['type'] is controlled by the attacker can never be trusted. This value is commonly modified using exploit code or using tamperdata.
1) 安全系统的第一步是确保文件具有 .pdf 扩展名:
1)The first step in your secuirty system is to make sure the file has a .pdf extension:
if("pdf"!=substr($fileName, strrpos($fileName, '.') + 1)){
die("Invalid File Type");
}
2)接下来你应该检查它是什么文件类型使用 php filetype() 函数.
2)Next you should check what file type it is using the php filetype() function.
3)一个严重的问题是这些PDF文件通常可以利用缓冲区溢出等漏洞在 Adobe 制作的软件中找到.这些 PDF 用于在 Drive By Download 攻击中传播病毒.
3)A serious problem is that these PDF files can exploit vulnerabilities such as buffer overflows commonly found in software made by Adobe. These PDF's are used to spread viruses in a Drive By Download attack.
最好的解决方案是安装网络应用防火墙Mod_Security.这将阻止 sql 注入和 xss 等攻击攻击您的 Web 应用程序.Mod_Secuirty 可以配置为使用 modsec-clamscan .
The best solution is to install the web application firewall Mod_Security. This will stop attacks like sql injection and xss from hitting your web application. Mod_Secuirty can be configured to scan all upload files for viruses using modsec-clamscan .
这篇关于PHP上传文件增强安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
