我怎样才能确保没有php / html文件上传到我的服务器?这是我到目前为止的代码,但它不起作用。
<?php
$target = "upload/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ok=1;
//This is our size condition
if ($uploaded_size > 35000)
{
echo "Your file is too large.<br>";
$ok=0;
}
//This is our limit file type condition
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
//Here we check that $ok was not set to 0 by an error
if ($ok==0)
{
Echo "Sorry your file was not uploaded";
}
//If everything is ok we try to upload it
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded and will be revied by moderators. You will recieve points based on the review.";
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
}
?>
答案 0 :(得分:1)
您的代码使用未设置的变量,例如$uploaded_size,除非您执行类似的操作,否则它将为NULL。
$uploaded_size = $_FILES['uploaded']['size'];
另外,检查MIME并不太好告诉你文件是否包含PHP。它只是意味着它具有php扩展名(即如果您正在检查type中的$_FILES)。
为了安全起见,将上传移到docroot之外,重命名并删除任何扩展名(以防止Apache尝试运行任何恶意文件)。原始文件名和类型可以安全地存储在数据库中,并引用(可能是散列的)新名称。
您可能还想确保以后是否要流式传输内容,以便始终使用readfile()来回显内容,而不是像include那样(即使嵌入图像中也会运行您的PHP代码)使用image/gif MIME,如果它包含GIF标题,可以告诉它是GIF。)
答案 1 :(得分:1)
查看http://www.php.net/manual/en/function.exif-imagetype.php - 这会检查所有JPG在开头都有的某些魔术数字。另外,正如其他人指出的那样,你正在使用未定义的变量...查看PHP教程进行文件上传(也记录了$ _FILE的内容)。
http://www.php.net/manual/en/features.file-upload.post-method.php