开发者

Is it possible to block php scripts in upload folder?

I'm experiencing my first form in php where images can be uploaded.

I've seen some article 开发者_如何学运维on the web which explains it can be dangerous, so there is some way to block scripts on a specified folder? Something with .htaccess or php .ini instruction?


The VERY best way is to make sure that your upload directory is outside of your webroot. As long as the webserver has read/write access there you will be fine - no worries about executable uploads. This was discussed here on stackoverflow.


Your best bet is to verify the file's extension upon upload. If it's not jpg/png/gif/etc., dismiss it. As long as your webserver is not misconfigured to interpret any file as a PHP file, then with this approach you're out of harm's way, with minimal headache and really simple implementation.


Check the file being uploaded has a benign extension (.gif, .mp3, etc) - and trash anything else. For extra-sekrit protection, capture the file's original name in a database (for future reference), then encrypt the filename (and store that as well). That way anything that's uploaded can't be found by filename by the uploader.


It's dangerous only if you let the users upload whatever they want. Allow only what you decide is safe and you won't need to block anything.


i think it can be dangers if you don't check what file type was uploaded e.g. "hacker" uploads a php file that deletes all of your httpdocs stuff, or if people can upload to many or to big files.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜