如何防止php上传文件:
[英]How to prevent php from uploading files:
问题描述
How do you prevent php from uploading files into./tmp/ folder if they are not the correct type.
如果文件类型不正确,如何防止 php 将文件上传到 ./tmp/ 文件夹。
For example the sample code given on the w3school website checks the file length using the following code:例如 w3school 网站上给出的示例代码使用以下代码检查文件长度:
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
But this is after the files have already been uploaded to temp, am I correct?但这是在文件已经上传到 temp 之后,我正确吗? Is there any way to do this in php or will I have to do it on the client side?有什么方法可以在 php 中执行此操作,还是我必须在客户端执行此操作?
3 个解决方案
解决方案1
2 已采纳 2011-06-10 02:18:22
PHP cannot know the type of the file before it was uploaded to the server so PHP could get its hands on it. PHP 在文件上传到服务器之前无法知道文件的类型,因此 PHP 可以得到它。 For that purpose the file will need to be stored in a temp folder.为此,该文件需要存储在临时文件夹中。 Also, PHP will do no checking for you, you will have to check in your script (for which purpose the file needs to be saved somewhere).此外,PHP 不会为您检查,您必须检查您的脚本(为此需要将文件保存在某处)。
To prevent uploads of invalid files, you'd need to check client side.为防止上传无效文件,您需要检查客户端。 This often involves Flash or other plugins, since Javascript is sandboxed and can't access files on the harddisk (search for exceptions to this rule on this very site).这通常涉及 Flash 或其他插件,因为 Javascript 已被沙盒化,无法访问硬盘上的文件(在此站点上搜索此规则的例外情况)。
Any client side validation is pointless though, since it's client side , your server cannot trust client information.但是,任何客户端验证都是毫无意义的,因为它是客户端,您的服务器无法信任客户端信息。 For that matter, the $_FILES['file']['type'] information is entirely client-provided information as well, which you should not trust.就此而言, $_FILES['file']['type']信息也完全是客户端提供的信息,您不应该信任这些信息。 Check the MIME type of a file yourself to verify.自己检查文件的 MIME 类型以进行验证。 For examples on how to do this, see How to get the content-type of a file in PHP?有关如何执行此操作的示例,请参阅如何在 PHP 中获取文件的内容类型?
解决方案2
0 2011-06-10 02:15:17
I dont think this is possible to do either in client side or in server side.我认为这在客户端或服务器端都是不可能的。 The file upload will upload to a temporary directory and thats where you parse it.文件上传将上传到一个临时目录,这就是你解析它的地方。
解决方案3
0 2011-06-10 02:43:51
As others have said, you can't access the filetype until the file is uploaded.正如其他人所说,在文件上传之前您无法访问文件类型。 Assuming this is for 'user experience' purposes (and not security purposes), you can use javascript to check the file name and look at its extension:假设这是出于“用户体验”目的(而非安全目的),您可以使用 javascript 检查文件名并查看其扩展名:
document.getElementById("file-input").file
will return the filename, and you can parse everything after the '.'将返回文件名,您可以解析“。”之后的所有内容to see if it's a gif, jpg, etc. Obviously, this extension is just a container (and might even be mislabeled by a malicious user), and is not a 'true' filetype.看看它是不是 gif、jpg 等。显然,这个扩展只是一个容器(甚至可能被恶意用户贴错标签),而不是“真正的”文件类型。
If you really want to do it in PHP, you can have a javascript that passes the name value as a hidden input in the form, and your PHP can stop by the file upload based on this value.如果您真的想在 PHP 中执行此操作,您可以使用 javascript 将名称值作为隐藏输入传递到表单中,并且您的 PHP 可以基于此值停止文件上传。 But it would make a lot more sense to do this in Javascript since, again, this isn't a security measure.但是在 Javascript 中这样做会更有意义,因为这又不是一种安全措施。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.