检查文件上传扩展名(PHP / Jquery / Javascript)
[英]Check File Upload extension (PHP/Jquery/Javascript)
问题描述
As title which of them is better and why? 
作为头衔,哪个更好,为什么呢? Any weaknesses from doing it? 这样做有什么缺点吗? I been hearing that Jquery/Javascript checking is bad and adviced to use PHP but somehow don't know why.... 我听说Jquery / Javascript检查不好,建议使用PHP,但是不知道为什么。
Need some recommend from any of you. 需要任何人的推荐。 Thanks in advance. 提前致谢。
Anyone see if this is good or bad: 任何人都可以看到这是好是坏:
<input type="file" name="task_doc" class="task_doc" onChange="checkext();"/>
function checkext(){
var permittedFileType = ['pdf', 'doc', 'docx', 'xls', 'xlsx'];
var fext = $(".task_doc").val().split('.').pop().toLowerCase();
var resultFile = validate_filetype(fext, permittedFileType);
if(resultFile === false){
$(".task_doc").replaceWith("<input type='file' name='task_doc' class='task_doc' onChange='checkext();'>");
alert("Invalid Extension");
}
else{
alert("Success");
}
}
function validate_filetype(fext, ftype)
{
for(var num in ftype)
{
if(fext == ftype[num])
return true;
}
return false;
}
2 个解决方案
解决方案1
5 已采纳 2011-03-10 03:35:13
If you use only javascript to check for data-validity, advanced users will have the possibility of uploading any data they want. 如果您仅使用JavaScript来检查数据有效性,那么高级用户将可以上传他们想要的任何数据。
On the other hand using javascript might be a convenient way for the user to get fast feedback, if his entered data (files in this case) is invalid. 另一方面,如果用户输入的数据(在这种情况下为文件)无效,则使用javascript可能是用户获得快速反馈的便捷方法。
So I suggest using both client side and server side scripts. 因此,我建议同时使用客户端脚本和服务器端脚本。
解决方案2
1 2011-03-10 06:45:38
You have to assume that any outside data is tainted and could be malicious. 您必须假设所有外部数据都受到污染并且可能是恶意的。 A user could disable JavaScript and send any file they want. 用户可以禁用JavaScript并发送他们想要的任何文件。 Or a user could send a file to the server and change the MIME type and/or extension to bypass checks on the server as well. 或者,用户可以将文件发送到服务器,然后更改MIME类型和/或扩展名以绕过服务器上的检查。
Your best bet is to make sure your server is set up to correctly handle the various MIME types and not by default parse unknown file types as PHP. 最好的选择是确保将服务器设置为正确处理各种MIME类型,并且默认情况下不将未知文件类型解析为PHP。 In other words, don't set Apache to handle anything but .php files as PHP and block .php files from being uploaded at all. 换句话说,除了将.php文件作为PHP处理之外,不要将Apache设置为处理任何东西,并且完全阻止.php文件上传。 Handling file uploads is a sticky situation at best, security-wise. 从安全角度来看,处理文件上传是一个棘手的情况。 I would highly recommend saving uploads outside of your document root directory, renaming them to a random string that only you know (ie on upload store the random name in a database), then send the file via PHP to the browser. 我强烈建议将上载保存在文档根目录之外,将其重命名为只有您知道的随机字符串(即在上载时将随机名称存储在数据库中),然后通过PHP将文件发送到浏览器。
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($filename));
header('Content-Transfer-Encoding: binary');
readfile($filename);
I recommend doing this because storing them outside the document root prevents access, using a unique filename stops somebody from directly accessing it, and forcing a download (should) prevent any auto execution of a malicious file so hopefully the user's anti-virus could find it.... 我建议这样做是因为将它们存储在文档根目录之外会阻止访问,使用唯一的文件名会阻止某人直接访问它,并且强制进行下载(应)阻止任何自动执行恶意文件,因此希望用户的防病毒软件能够找到它....
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.