安全文件上传并验证它 [英] Secure File Upload and validating it
问题描述
我获得了视频上传和图片上传:
我的环境: LAMP
编辑:我将允许远程上传和 POST
视频上传
EDIT2:我得到的文件将被重命名,我将不会存储原始文件名。
- $ _ FILES mime类型。 第二个检查
-
如果文件通过上述检查,文件将被移动到公共目录。
finfo_file
(如果函数存在)mimetype再次(
PHP 5.3
)或shell命令文件。 我的问题是这个设置安全吗?还是我可以改进一些东西?我昨天看了这个洞,这个对我来说似乎够用了,但是谁知道:)
我是新手,当涉及到编码和安全性时: - )
其他人建议包括一个文件服务脚本输出文件,而不是将文件保存在公用文件夹中,并直接在src属性中引用该文件。有些人还会建议病毒扫描一切。
I get Video uploads and image uploads:
My environment: LAMP
EDIT: I will allow remote upload and POST
video upload
EDIT2: The files which i get will be renamed i wont store the orginal file names.
First I check with
$_FILES
the mime type.Second I check with
finfo_file
(if function exists) the mimetype again (PHP 5.3
) or with shell command file.File gets moved to public dir if its passed the above checks.
My question is this setup secure? Or can I improve something? I read the hole day yesterday this seems for me enough, but who knows :)
I'm a novice when it comes coding and security :-)
as long as you rename with your own file name and extension, and have no include type vulnerabilities in your apps code (ie: include($_GET['whatever']);), this is fairly good. you will also want to make sure everything on your server stack is the latest version (especially anything that processes images/video).
others would recommend including a file serving script which outputs the file, instead of keeping the file in a public folder and referencing the file directly in your src attributes. some would also recommend virus scanning everything.
这篇关于安全文件上传并验证它的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!