prevent执行上传的PHP文件吗？ [英] Prevent execution of uploaded php files?

问题描述

在我的项目允许用户上传任何类型的文件。我需要确保对执行上传的文件，可以通过PHP解析的安全性（* .PHP，*。html的，等等。）

In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)

有没有办法告诉Apache不解析任何文件使用PHP的Web /上传，只是它们显示为纯文本？有什么其他选择？

Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?

推荐答案

请它们都放在同一个文件夹，并设置该行目录的的.htaccess 文件：

Keep them all under the same folder and set this line in the directory's .htaccess file:

php_flag engine off

这也将照顾其他攻击，如在.gif文件中嵌入PHP code。

That will also take care of other exploits such as embedding PHP code in .gif files.

这篇关于prevent执行上传的PHP文件吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！