在PHP中保证文件上传的好方法 [英] Good Way to Secure File Uploads in PHP
问题描述
我们目前的原型只是将文件转储到 / {app_root} / files / ,当然,任何人都可以得到即使他们没有登录或使用系统。我们的目标是只授予文件访问权限( view access ),如果用户已经登录,并且实际上可以访问文件所属的文章。
所以,总之,我正在寻找一个很好的方法来做到这一点。
我正在考虑在 / web / ( http )文件夹,然后使用 header() commans以某种方式呈现它,或者,也许只是将文件转储到数据库中?然而,我从来没有做过任何一个。
虽然我怀疑我能最终弄清楚,但是这里有太多聪明的人,一些现有的类或函数库,已经这样做?
您必须执行以下操作:
- 将所有文件移出webroot。您可以使用.htaccess禁用对文件夹的访问权限,但不值得冒险和潜在的安全风险。只需将其移出即可。
- 保存上传文件的表格,将用户的原始文件名存储在那里。将文件重命名为
$ id。$ ext等等。简而言之,您不希望在系统中使用用户的文件名。
- 有一个脚本,
download.php或无论如何,获取文件ID,验证谁登录,如果所有内容都检出,请取出文件,将其读取到浏览器中,然后发送相应的下载标头。
- 有一个脚本,
这些标题可能类似于:
header('Content-type:application /八位字节流');
header('Content-disposition:attachment; filename = usersuppliedname.txt');
header(Content-Length:。filesize('../ safefiles / 1.txt'));
header(Content-Transfer-Encoding:binary);
readfile('../ safefiles / 1.txt');
出口;
您可以获得更多花哨,如果你想允许恢复文件等,但上述应该做到这一点。
Writing a small app that (among other things) lets users upload a file (like an image, a .doc or a text file) as part of their posting/submission.
Our current prototype just dumps the file into /{app_root}/files/, but of course, anyone can get to that even if they are not logged in or using the system. The goal is to only grant access (view access) to the files if user is logged in and does in fact have access to the post that the file belongs to.
So, in short, I am looking for a good way to do this.
I am thinking of either creating a folder outside the /web/ (http) folder and then having PHP render it somehow using header() commans, or, maybe just dumping the file into the database? I have never done either one, however.
While I suspect I can figure it out eventually, there are just too many smart people on here that I was figuring someone will know of some sort of existing class or function library that does this already?
You have to do the following:
- Move all the files out of the webroot. You could disable access to the folder with .htaccess, but it is not worth the hassle and potential security risk. Just move it out there.
- Keep a table of the files uploaded, storing the user's original file name there. Rename the file to
$id.$extand so on. In short, you don't want to use the user's file name in your system. - Have a script,
download.phpor whatever, get the file's ID, verify who is logged in, and if everything checks out, fetch the file, read it out to the browser, and send the appropriate download headers.
These headers would be something like:
header('Content-type: application/octet-stream');
header('Content-disposition: attachment; filename=usersuppliedname.txt');
header("Content-Length: " . filesize('../safefiles/1.txt'));
header("Content-Transfer-Encoding: binary");
readfile('../safefiles/1.txt');
exit;
You can then get more fancy if you want to allow resuming files and such, but the above should do it.
这篇关于在PHP中保证文件上传的好方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
