I am making a PHP image uploader using the Zend Framework which will upload images to a public directory for people to be able to freely access.
I have so far implemented these measures for security: - File size validation - Extension validation - MimeType validation - Upon successful validation file is renamed with a image extension in a public folder, i.e. /images/up开发者_StackOverflowloads/...
Is this enough security? Can't run it through some antivirus script can you (is this required)?
The file extension and the mime type can be easily faked. Use getimagesize()
to see if it really is an image.
you shouldnt be saving your uploads in the public folder at all! you should save them in a private directory, and use a view helper to load the images for you
精彩评论