PHP安全文件上传
[英]PHP secure file upload
问题描述
I have an upload form which allowed most of file types to be uploaded. 
我有一个上传表单,该表单允许大多数文件类型被上传。 Here they are: 他们来了:
- Image: jpg/jpeg/png/gif ... 图片:jpg / jpeg / png / gif ...
- Video: mp4/avi/wmv ... 视频:mp4 / avi / wmv ...
- another files: doc/pdf/rar/zip/mp3/... 其他文件:doc / pdf / rar / zip / mp3 / ...
For image file, I know I can use PHP function getimagesize() or something else to make sure it's the real image. 对于图像文件,我知道我可以使用PHP函数getimagesize()或其他方法来确保它是真实图像。 But how about the other files such as Video, and documentation ? 但是其他文件,例如视频和文档呢? Is it a real file without faking the extension ? 这是一个真实的文件,没有伪造扩展名吗?
How to do that? 怎么做?
Thank you! 谢谢! I need your help. 我需要你的帮助。
3 个解决方案
解决方案1
0 2013-10-10 14:35:39
every file has it's own type, it called mime type , so u can check the mime type , do some things like that : 每个文件都有它自己的类型,称为mime type,因此您可以检查mime类型,执行以下操作:
if (mime_content_type($FILES['file']['tmp'])== "image/png"))
{
// do upload
}else{
die('file type not supported');}
u can put all the mime type into an array the check the type with in_array function u can find all the mime type here : http://www.freeformatter.com/mime-types-list.html 您可以将所有的mime类型放入数组中,并使用in_array函数检查类型。您可以在此处找到所有的mime类型: http : //www.freeformatter.com/mime-types-list.html
解决方案2
0 2013-10-10 14:57:18
Any client-side check (even the browser mime-type detection) is doomed to fail because user has access to it. 任何客户端检查(甚至是浏览器mime类型检测)注定会失败,因为用户可以访问它。 You'd better let the upload begin and complete, then perform a serious server side check. 您最好让上传开始并完成,然后进行认真的服务器端检查。 You simply discard the file if that is not what you expected to be. 如果不是您期望的那样,则只需丢弃该文件。
On top of the server-side check you can of course implement the client-side check just for a neater user experience 当然,除了服务器端检查之外,您还可以实施客户端检查,只是为了获得更整洁的用户体验
解决方案3
-1 2013-12-04 11:53:09
The only way to fully secure a file upload is to attempt parsing the uploaded file with PHP or some other extension/tool that expects a specific valid file type. 完全保护文件上载的唯一方法是尝试使用PHP或其他需要特定有效文件类型的扩展/工具来解析上载的文件。 In other words: 换一种说法:
- Images: use GD functions to parse the file, they'll return false if it isn't a valid image. 图片:使用GD函数解析文件,如果该图片无效,它们将返回false。
- Videos: could probably validate using ffmpeg on the command line and check the output or use the ID3 extension as suggested here: https://stackoverflow.com/a/134893 (credit to Zathrus Writer's comment on the question linking to this question) 视频:可能可以在命令行上使用ffmpeg进行验证并检查输出,或按照此处建议使用ID3扩展名: https ://stackoverflow.com/a/134893(记入Zathrus Writer对与此问题相关的问题的评论)
- Documents: Attempt loading the file with PHPExcel/Word/PowerPoint although I'm not sure that these would support just any format of those documents as it works on OpenXML. 文档:尝试用PHPExcel / Word / PowerPoint加载文件,尽管我不确定它们在OpenXML上是否能支持这些文档的任何格式。
From looking at the getID3 extension this might be the best bet as it seems to parse a wide variety of content types. 通过查看getID3扩展名,这可能是最好的选择,因为它似乎可以解析各种内容类型。
In any case, what you essentially need is for PHP or some other 3rd party library/extension to determine that the binary data of a file corresponds with its MIME content type. 无论如何,您实际上需要的是PHP或其他一些第三方库/扩展名,以确定文件的二进制数据与其MIME内容类型相对应。
Hope this helps :) 希望这可以帮助 :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.