[英]PHP secure file upload
I have an upload form which allowed most of file types to be uploaded. 我有一个上传表单,该表单允许大多数文件类型被上传。 Here they are: 他们来了:
For image file, I know I can use PHP function getimagesize() or something else to make sure it's the real image. 对于图像文件,我知道我可以使用PHP函数getimagesize()或其他方法来确保它是真实图像。 But how about the other files such as Video, and documentation ? 但是其他文件,例如视频和文档呢? Is it a real file without faking the extension ? 这是一个真实的文件,没有伪造扩展名吗?
How to do that? 怎么做?
Thank you! 谢谢! I need your help. 我需要你的帮助。
every file has it's own type, it called mime type , so u can check the mime type , do some things like that : 每个文件都有它自己的类型,称为mime type,因此您可以检查mime类型,执行以下操作:
if (mime_content_type($FILES['file']['tmp'])== "image/png"))
{
// do upload
}else{
die('file type not supported');}
u can put all the mime type into an array the check the type with in_array function u can find all the mime type here : http://www.freeformatter.com/mime-types-list.html 您可以将所有的mime类型放入数组中,并使用in_array函数检查类型。您可以在此处找到所有的mime类型: http : //www.freeformatter.com/mime-types-list.html
Any client-side check (even the browser mime-type detection) is doomed to fail because user has access to it. 任何客户端检查(甚至是浏览器mime类型检测)注定会失败,因为用户可以访问它。 You'd better let the upload begin and complete, then perform a serious server side check. 您最好让上传开始并完成,然后进行认真的服务器端检查。 You simply discard the file if that is not what you expected to be. 如果不是您期望的那样,则只需丢弃该文件。
On top of the server-side check you can of course implement the client-side check just for a neater user experience 当然,除了服务器端检查之外,您还可以实施客户端检查,只是为了获得更整洁的用户体验
The only way to fully secure a file upload is to attempt parsing the uploaded file with PHP or some other extension/tool that expects a specific valid file type. 完全保护文件上载的唯一方法是尝试使用PHP或其他需要特定有效文件类型的扩展/工具来解析上载的文件。 In other words: 换一种说法:
From looking at the getID3 extension this might be the best bet as it seems to parse a wide variety of content types. 通过查看getID3扩展名,这可能是最好的选择,因为它似乎可以解析各种内容类型。
In any case, what you essentially need is for PHP or some other 3rd party library/extension to determine that the binary data of a file corresponds with its MIME content type. 无论如何,您实际上需要的是PHP或其他一些第三方库/扩展名,以确定文件的二进制数据与其MIME内容类型相对应。
Hope this helps :) 希望这可以帮助 :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.