安全的 PHP 文件上传脚本
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4950331/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Secure PHP File Upload Script
提问by AAA
I have asked this question twice i think, but this is the first time i have gotten close to this. I am planning on allowing users to upload and download their files (.pdf, .doc, .exl, .ppt, .png, .jpg, .gif).
我想过两次这个问题,但这是我第一次接近这个问题。我计划允许用户上传和下载他们的文件(.pdf、.doc、.exl、.ppt、.png、.jpg、.gif)。
Will these tips be suffice:
这些提示是否足够:
http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/
http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/
Also, is there a script I can utilize, i am new to php.
另外,是否有我可以使用的脚本,我是 php.ini 的新手。
回答by Ricki
a late response, but i think your script should be based on this: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
迟到的回复,但我认为您的脚本应该基于此:http: //blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
it covers all aspects of security and explains all valid points. I hope this helps.
它涵盖了安全的所有方面,并解释了所有有效点。我希望这有帮助。
EDIT: The above link is dead, here is a cached version of that article.
编辑:上面的链接已失效,这是该文章的缓存版本。
回答by CrandellWS
For Future readers, who are also new to php:
对于同样不熟悉 php 的未来读者:
Before reading the guide mentioned in Ricki's answer at https://stackoverflow.com/a/7065880/1815624, which mentions a good guide and is defiantly a recommended read I would advise to read this answer first:
在阅读 Ricki 在https://stackoverflow.com/a/7065880/1815624 上的回答中提到的指南之前,该指南提到了一个很好的指南并且绝对是推荐阅读,我建议您先阅读这个答案:
https://security.stackexchange.com/a/32853/31943
https://security.stackexchange.com/a/32853/31943
then read the guide mentioned by Ricki at:
然后阅读 Ricki 提到的指南:
http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
After all that if you need further security, you should consider disconnecting from the internet. :P
毕竟,如果您需要进一步的安全性,您应该考虑断开与互联网的连接。:P
回答by fdreger
There is a million of file uploading scripts out there. This oneis not worse than the others.
有一百万个文件上传脚本。这个并不比其他的差。
Although the "protection" from uploading files other than pngs will not work (it only checks the name of the file).
尽管上传 png 以外的文件的“保护”不起作用(它只检查文件的名称)。
Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks. The article you referenced does not mention two important points:
上传文件是非常安全的——它让其他人有机会下载它们,从而使您的服务器受到某些类型的攻击。你引用的文章没有提到两个重点:
- never serve any user provided files from the same domain as your webpage. Have a separate domain for downloads. This way even if someone manages to upload a flash animation or a piece of HTML, your domain will not suffer from cross domain attack (eg if your application has a domain of example.org, you should serve user content from, say, downloads.example.com);
- always serve uploaded files with well controlled headers.
- 永远不要从与您的网页相同的域中提供任何用户提供的文件。有一个单独的下载域。这样,即使有人设法上传了 Flash 动画或一段 HTML,您的域也不会受到跨域攻击(例如,如果您的应用程序的域是 example.org,则您应该提供来自下载的用户内容。例子.com);
- 始终提供带有良好控制的标题的上传文件。
