1. 首頁
  2. 問答
  3. PHP--將上傳的文件過濾到imags

PHP--將上傳的文件過濾到imags

2011-03-20 30 views
1

我怎樣才能確保沒有php/html文件上傳到我的服務器?這是我迄今爲止的代碼,但它不起作用。PHP--將上傳的文件過濾到imags

<?php 
$target = "upload/"; 
$target = $target . basename($_FILES['uploaded']['name']) ; 
$ok=1; 

//This is our size condition 
if ($uploaded_size > 35000) 
{ 
echo "Your file is too large.<br>"; 
$ok=0; 
} 

//This is our limit file type condition 
if ($uploaded_type =="text/php") 
{ 
echo "No PHP files<br>"; 
$ok=0; 
} 

//Here we check that $ok was not set to 0 by an error 
if ($ok==0) 
{ 
Echo "Sorry your file was not uploaded"; 
} 

//If everything is ok we try to upload it 
else 
{ 
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target)) 
{ 
echo "The file ". basename($_FILES['uploadedfile']['name']). " has been uploaded and will be revied by moderators. You will recieve points based on the review."; 
} 
else 
{ 
echo "Sorry, there was a problem uploading your file."; 
} 
} 
?>

來源

2011-03-20 Shawn

+0

你從哪裏得到'$ uploaded_size'? – alex 2011-03-20 02:16:37

+0

你在哪裏設置'$ uploaded_type'?它的價值是什麼? – 2011-03-20 02:16:45

回答

1

代碼使用未設置,例如變量,$uploaded_size除非你做這樣的事情,這將是空...

$uploaded_size = $_FILES['uploaded']['size'];

此外,檢查的MIME是不是告訴過大你是否該文件有PHP或沒有。這意味着它的擴展名爲php(即如果您正在檢查type$_FILES)。

爲了安全起見,在docroot之外移動上傳文件,重命名並刪除任何擴展名(以防止Apache嘗試運行任何惡意文件)。原始文件名和類型可以安全地存儲在數據庫中,並引用(可能是哈希)新名稱。

您可能還需要確保,如果你是流內容後總是附和使用readfile()而不是像include(這將運行PHP代碼的內容,即使圖像中嵌入的與image/gif MIME,它可以是如果它包含GIF標頭,告訴它是GIF)。

來源

2011-03-20 02:17:26 alex

相關問題

 相關問題