堆栈内存溢出
  简体   繁体   English

用PHP将图像文件上传到服务器的最安全方法是什么?

[英]What is the most secure method to upload image file to server with PHP?

 原文  2011-12-16 10:03:53       php/ mysql/ image

问题描述

I know this topic is widely talked about. 我知道这个话题被广泛讨论。 I've done my research, and decided to store image files onto the server instead of the DB as a blob file. 我已经完成研究,决定将图像文件而不是DB作为blob文件存储到服务器上。 The problem that I am having is trying to figure out the best way to upload the file, store it in a designated folder then storing the destination in the db..say../img/something.jpg - I've tried looking through many resources but most of them are missing some important steps in the process. 我遇到的问题是试图找出上传文件的最佳方法,将其存储在指定的文件夹中,然后将目标存储在db..say ../ img / something.jpg中-我尝试浏览许多资源,但其中大多数都缺少该过程中的一些重要步骤。

Problems: 问题:

  1. Finding a secure way for uploading the img file 寻找上载img文件的安全方法
  2. Limiting the file 限制档案
  3. size Uploading the image to a destination file 尺寸将图像上传到目标文件
  4. Storing the destination file as a text in the DB 将目标文件作为文本存储在数据库中

I'm using PHP and MySQL. 我正在使用PHP和MySQL。

3 个解决方案

解决方案1
 1  2011-12-16 10:47:18

Dunno what all your points about, but what you really have to be concerned with is 邓诺(Dunno)您的所有要点是什么,但是您真正要关心的是

  • check for the file extension. 检查文件扩展名。
    extract it from the filename and compare with allowed ones. 从文件名中提取它并与允许的文件进行比较。
    also it would be good to check filename to have only one dot, or at least it doesn't have a name like name.html.jpg , due to some odd Apache behavior. 同样,最好检查文件名是否只有一个点,或者至少由于其某些奇怪的Apache行为而没有诸如name.html.jpg类的名称。

  • check for the file contents. 检查文件内容。 the best way would be to create a brand new image out of the uploaded one. 最好的方法是从上传的图片中创建一个全新的图片。

  • take usual precautions while working with DB. 使用数据库时,请采取通常的预防措施。

解决方案2
 0 已采纳  2011-12-16 10:34:56

Here you go, this covers the basic ideas of what you want to do: 到这里,这涵盖了您想做什么的基本思想: 

<?php
    $allowedTypes = array("image/jpg", "image/jpeg", "image/png");
    $maxSize = 3 * 1024 * 1024; // 3Mb

    $fileType = $_FILES["file"]["type"];
    $fileSize = $_FILES["file"]["size"];

    // check if there was an error
    if ($_FILES["file"]["error"] > 0)
    {
        die($_FILES["file"]["error"]);
    }

    // check if the filetype is valid
    if (!in_array($fileType, $allowedTypes))
    {
        die("Invalid file type: $fileType");
    }

    // check if the size doesn't exceed the limitations
    if ($fileSize > $maxSize)
    {
        die("The file was too big: $fileSize");
    }

    $name = $_FILES["file"]["name"];
    $tmpfile = $_FILES["file"]["tmp_name"];

    // check if the filename is valid
    if (preg_match("/[\w-]+\.(jpg|jpeg|png)$/", $name) != 1)
    {
        die("Invalid file name: $name");
    }

    // create unique name if needed

    $path = "/var/www/images/" . $name;

    move_uploaded_file($tmpfile, $path);

    // add the filepath to mysql
    mysql_connect("localhost", "username", "password");
    mysql_select_db("imagedb");
    mysql_query("INSERT INTO images (Location, Size) VALUES ('$path', '$size');");
?>

This is meant to show how it could be done. 这是为了说明如何完成。

解决方案3
 -2  2011-12-16 10:11:17

read this 这个

personally I'd use imgur which is used here on stackexchange websites 我个人会使用在stackexchange网站上使用的imgur

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 什么是可以处理所有文件类型的最安全的php文件上传方法? - What is the Most Secure php file upload method that can handle all filetypes? 什么是最安全的散列方法? (PHP) - What is the most secure hashing method? (PHP) 上传文件最安全的方法是什么? - What is the most secure method for uploading a file? 在 php 中安全上传图片 - Secure image upload in php 安全图片上传PHP - Secure image upload PHP 使用PHP保护图像上传? - Secure image upload with PHP? PHP安全文件上传 - PHP secure file upload PHP文件上传,安全吗? - PHP File upload, Secure? 从Node.js服务器到PHP服务器的安全文件上传 - Secure file upload from Node.js server to PHP server 创建上传目录的最安全方法是什么? - What is the most secure way to create upload directories?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM