I want to allow my users to upload .php
files to the server, but also want to make sure the files are harmless to my application开发者_Go百科.
Any suggestions?
Thank you.
I recommend the ‘disable script execution in the uploads directory’ approach. This is the only solution that’s completely safe.
Just add this rule to the .htaccess
file inside the uploads directory:
php_value engine off
A couple of solutions:
- Rename them to .phps
- Disable execution of PHP in the upload directory in your webserver configuration
Option 1: Store them with a different filename and store the original filename as part of the metadata, e.g. in a database table.
Option 2: Disable script execution on the uploads directory.
Option 3: Rename them to .phps (an accepted extension for the display of raw PHP)
Just don't execute them, that's enough.
Make sure that your application doesn't run or include user-uploaded files at any point (e.g. by using a GET parameter to include
a file without any sanitation).
Also make sure the uploaded files are not accessible from outside with the .php
extension.
In a normal, halfway properly coded workflow, uploaded .php files do not pose a security risk no matter what code they contain.
Make the upload directory separate, write-only and not visible from the internet (this will prevent them accessing their own script after uploading).
You can then moderate new scripts and do as you see fit.
精彩评论