开发者

how to safeguard this file upload in php?

开发者 https://www.devze.com 2023-03-04 13:30 出处:网络
Basically this is for a simple site where admin only will uploadpictures, how do i safeguard image upload here ?

Basically this is for a simple site where admin only will upload pictures, how do i safeguard image upload here ?

        $uploaddir = "./images/";
       开发者_JAVA百科 $uploadfile = $uploaddir . $_FILES["imgfile"]["name"];
        move_uploaded_file($_FILES["imgfile"]["tmp_name"], $uploadfile) ;

                $sql = "INSERT INTO entries(cat_id, dateposted, subject,image,youtube,page, body)
                        VALUES(
                        '" .is_int($_POST['cat']) . "'
                        , mysql_real_escape_string(NOW())
                        ,'" . mysql_real_escape_string($_POST['subject']) . "'
                        ,'" . mysql_real_escape_string($_FILES['imgfile']['name'])."'
                        ,'" . mysql_real_escape_string($_POST['youtube']) . "'
                        ,'" . mysql_real_escape_string($_POST['page']) . "'
                        ,'" . mysql_real_escape_string($_POST['body']) . "'
                        );";
                mysql_query($sql) or die(mysql_error());


  1. Your forgot make chmod at uploaded (moved) file (chmod -x !)
  2. Your need rename uploaded file, i prefer [a-z\d-_.] + timestamp()
  3. Your need check if file size is lower than maximum, allowed
  4. Need check against allowed extension list $est in_array($config_fileupload_allowed)
  5. this list is longer :) i check also content of files, i.e jpeg against signature, txt against symbols, so on.

This one code allow upload test.php file with something like

<?
  `rm -rf /`; 
?>

inside ...

PS.

mysql_real_escape_string(NOW()) 

this is extra, just use now(), why need escape it ...

,Arsen

0

精彩评论

暂无评论...
验证码 换一张
取 消