Laravel文件上传安全,如果只考虑图像 [英] Is Laravel File Uploading Secure if considered only image
问题描述
对于输入
类型文件
,Laravel基本上具有以下功能。
//确定文件是否上传
Input :: hasFile('filename');
//访问文件属性
Input :: file('name') - > getRealPath();
Input :: file('name') - > getClientOriginalName();
Input :: file('name') - > getClientOriginalExtension();
Input :: file('name') - > getSize();
Input :: file('name') - > getMimeType();
如果我使用 getClientOriginalExtension
来找到正确的图片扩展名 getSize
限制文件上传大小& getMimeType
来检查图像的mimetype。
我担保了吗?而且可以对功能有信心,它不会被黑客以任何方式利用。
考虑到一个事实,那我只会上传图片。
$ h
$ b
更新:按照下面的URL使用Core PHP安全地上传文件:
http://php.w3clan.com/tutorial/47 / form-handling-secure-upload
或者在Laravel中使用规则中的文件验证
$ rule = ['name'=> 'image'];
如果您只打算上传图片,可以这样做:
$ rules [
...
'file'=> 'required | image'//假设它是必需的,否则就把它留下
]
<如果你想进一步限制哪些扩展是允许的,你可以指定一个包含你允许的扩展名的数组,然后检查
Input :: file('file') - > getClientOriginalExtension() code>反对它。虽然这可能是欺骗性的,所以最好指定允许使用哪种MIME类型。
例如,如果您只想要允许.png和.gif文件,则可以使用:
$ allowedMimes = [
'image / gif',
'image / png'
];
然后使用 - > getMimeType()
Laravel basically have following below functions for input
type file
.
// Determine if a file was uploaded
Input::hasFile('filename');
// Access file properties
Input::file('name')->getRealPath();
Input::file('name')->getClientOriginalName();
Input::file('name')->getClientOriginalExtension();
Input::file('name')->getSize();
Input::file('name')->getMimeType();
If i use getClientOriginalExtension
to find correct image extension, getSize
to restrict file upload size & getMimeType
to check the mimetype of image.
Am i secured ? And can have faith on function that , it will not be exploited by hacker in any way.
Considering a fact, that i will be only uploading image.
Update : Follow below URL for File Uploading Securely with Core PHP :
http://php.w3clan.com/tutorial/47/form-handling-secure-uploading
or Just use file validation in rule as per Laravel
$rule = [ 'name' => 'image' ];
解决方案 Seems pretty secure to me.
If you only intend to upload images, you can do this:
$rules [
...
'file' => 'required|image' // Assuming it's required, otherwise leave that out
]
If you want to further restrict which extensions are allowed, you can specify an array with the extensions you allow, and then check Input::file('file')->getClientOriginalExtension()
against it. Although this can be spoofed, so it's better to specify which mime types are allowed instead.
If you for example only want to allow .png and .gif files, you use:
$allowedMimes = [
'image/gif',
'image/png'
];
And then check using ->getMimeType()
这篇关于Laravel文件上传安全,如果只考虑图像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!