是否可以阻止上传文件夹中的 php 脚本?
我正在体验我的第一个 php 表单,可以上传图像。
我在网上看到一些文章解释说它可能很危险,那么有什么方法可以阻止指定文件夹上的脚本吗?带有 .htaccess
或 php .ini
指令的东西?
I'm experiencing my first form in php where images can be uploaded.
I've seen some article on the web which explains it can be dangerous, so there is some way to block scripts on a specified folder? Something with .htaccess
or php .ini
instruction?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
最好的方法是确保您的上传目录位于 Webroot 之外。只要网络服务器具有读/写访问权限,您就可以了 - 不用担心可执行文件上传。 stackoverflow 上对此进行了讨论。
The VERY best way is to make sure that your upload directory is outside of your webroot. As long as the webserver has read/write access there you will be fine - no worries about executable uploads. This was discussed here on stackoverflow.
最好的办法是在上传时验证文件的扩展名。如果它不是 jpg/png/gif/等,则忽略它。只要您的网络服务器没有错误配置,将任何文件解释为 PHP 文件,那么使用这种方法您就不会受到伤害,而且实现起来非常简单。
Your best bet is to verify the file's extension upon upload. If it's not jpg/png/gif/etc., dismiss it. As long as your webserver is not misconfigured to interpret any file as a PHP file, then with this approach you're out of harm's way, with minimal headache and really simple implementation.
检查正在上传的文件是否具有良性扩展名(.gif、.mp3 等) - 并丢弃其他任何内容。对于额外的 sekrit 保护,请在数据库中捕获文件的原始名称(以供将来参考),然后加密文件名(并将其存储)。这样上传者就无法通过文件名找到上传的任何内容。
Check the file being uploaded has a benign extension (.gif, .mp3, etc) - and trash anything else. For extra-sekrit protection, capture the file's original name in a database (for future reference), then encrypt the filename (and store that as well). That way anything that's uploaded can't be found by filename by the uploader.
只有当你让用户上传他们想要的任何内容时才是危险的。仅允许您认为安全的内容,而无需阻止任何内容。
It's dangerous only if you let the users upload whatever they want. Allow only what you decide is safe and you won't need to block anything.
我认为如果你不检查上传的文件类型,例如“黑客”上传一个删除你所有httpdocs内容的php文件,或者如果人们可以上传到许多或大文件,那么这可能是危险的。
i think it can be dangers if you don't check what file type was uploaded e.g. "hacker" uploads a php file that deletes all of your httpdocs stuff, or if people can upload to many or to big files.