我有一个应用程序,允许用户以.jpg .png .jpeg格式上传图像文件。一位用户上传了一个jpg.php文件,在与他交谈后,他告诉我他编辑了图像后包含PHP代码后的图像内容然后访问图像运行代码,我的文件夹权限是755和文件权限是644,用户和组是www:data。该应用程序是在laravel 4.2框架中编写的。
我可以在此代码中添加任何内容以防止再次发生这种情况吗?我不是专业编码员,也不是自称是。
public function doCreateListing(){
$user = User::find(Auth::user()->id);
$rules = array(
'title' =>'required',
'description' =>'required',
'tags' => 'required',
'category' => 'required',
'price' => 'required|numeric|min:0',
'image_1' => 'mimes:jpg,jpeg,png',
'image_2' => 'mimes:jpg,jpeg,png',
'image_3' => 'mimes:jpg,jpeg,png',
'image_4' => 'mimes:jpg,jpeg,png',
);
//save image
$destinationPath = public_path().'/uploads/';
$j=1;
for ($i=1; $i <=4 ; $i++) {
if (Input::hasFile('image_'.$i)){
$primary_image=0;
if($j==1) $primary_image=1; //For default, the first image is the primary image.
$file = Input::file('image_'.$i);
$filename_ = str_random(8);
$filename = str_replace(" ", "-", $file->getClientOriginalName());
$file_uploaded=$filename_.'_'.$filename;
$upload_success = $file->move($destinationPath, $file_uploaded);
if( $upload_success ) {
$listing_image = new ListingImage();
$listing_image->listing_id = $listing->id;
$listing_image->image = $file_uploaded;
$listing_image->primary_image = $primary_image;
$listing_image->save();
}
$j++;
}
}
}
return Redirect::to('listings')->with('success','Your image was set.');
}