PHP上传文件增强安全性
嘿..我的问题是如何防止有人上传病毒或一些带有你假装扩展名的恶意代码,例如我有一个 pdf 文件上传器,任何人都可以上传带有 pdf 伪装的二进制文件,有很多程序可以做到这一点.
Hey.. my question is how to prevent someone upload a virus or some malicious code with the extension you pretend for example i have a pdf file uploader, anyone can upload a binary with pdf camouflage there are lots of programs to do that.
推荐答案
上传文件时会出现许多安全问题.第一个问题是该文件可能不是您想要的文件,在本例中为 pdf.变量 $_FILES['file_name']['type']
由攻击者控制,永远不可信任.该值通常使用漏洞利用代码或使用篡改数据进行修改.
There are a number of secuirty concerns that arise with uploading files. The first problem is that the file might not be the file you want, in this case a pdf. The variable $_FILES['file_name']['type']
is controlled by the attacker can never be trusted. This value is commonly modified using exploit code or using tamperdata.
1) 安全系统的第一步是确保文件具有 .pdf 扩展名:
1)The first step in your secuirty system is to make sure the file has a .pdf extension:
if("pdf"!=substr($fileName, strrpos($fileName, '.') + 1)){
die("Invalid File Type");
}
2)接下来你应该检查它是什么文件类型使用 php filetype() 函数.
2)Next you should check what file type it is using the php filetype() function.
3)一个严重的问题是这些PDF文件通常可以利用缓冲区溢出等漏洞在 Adobe 制作的软件中找到.这些 PDF 用于在 Drive By Download 攻击中传播病毒.
3)A serious problem is that these PDF files can exploit vulnerabilities such as buffer overflows commonly found in software made by Adobe. These PDF's are used to spread viruses in a Drive By Download attack.
最好的解决方案是安装网络应用防火墙Mod_Security.这将阻止 sql 注入和 xss 等攻击攻击您的 Web 应用程序.Mod_Secuirty 可以配置为使用 所有上传文件中的病毒special_features.html" rel="noreferrer">modsec-clamscan .
The best solution is to install the web application firewall Mod_Security. This will stop attacks like sql injection and xss from hitting your web application. Mod_Secuirty can be configured to scan all upload files for viruses using modsec-clamscan .
相关文章