开发者

how to safeguard this file upload in php?

问答 作者:

Basically this is for a simple site where admin only will upload pictures, how do i safeguard image upload here ?

        $uploaddir = "./images/";
       开发者_JAVA百科 $uploadfile = $uploaddir . $_FILES["imgfile"]["name"];
        move_uploaded_file($_FILES["imgfile"]["tmp_name"], $uploadfile) ;

                $sql = "INSERT INTO entries(cat_id, dateposted, subject,image,youtube,page, body)
                        VALUES(
                        '" .is_int($_POST['cat']) . "'
                        , mysql_real_escape_string(NOW())
                        ,'" . mysql_real_escape_string($_POST['subject']) . "'
                        ,'" . mysql_real_escape_string($_FILES['imgfile']['name'])."'
                        ,'" . mysql_real_escape_string($_POST['youtube']) . "'
                        ,'" . mysql_real_escape_string($_POST['page']) . "'
                        ,'" . mysql_real_escape_string($_POST['body']) . "'
                        );";
                mysql_query($sql) or die(mysql_error());

  1. Your forgot make chmod at uploaded (moved) file (chmod -x !)
  2. Your need rename uploaded file, i prefer [a-z\d-_.] + timestamp()
  3. Your need check if file size is lower than maximum, allowed
  4. Need check against allowed extension list $est in_array($config_fileupload_allowed)
  5. this list is longer :) i check also content of files, i.e jpeg against signature, txt against symbols, so on.

This one code allow upload test.php file with something like 

<?
  `rm -rf /`; 
?>

inside ...

PS. 

mysql_real_escape_string(NOW())

this is extra, just use now(), why need escape it ...

,Arsen

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9