dongshan4316 2012-01-07 05:00
浏览 20
已采纳

文件上传安全漏洞

Is there any file upload security vulnerability in my code? I am using apache in my server side. File upload is enabled in php.ini file.

<?php
if ($_FILES["file"]["size"] < 100000)//maximum upload size is 100 kb
{
    if ($_FILES["file"]["error"] > 0)
    {
      echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
    else
    {
    if (file_exists("upload/" . $_FILES["file"]["name"]))
    {
      echo $_FILES["file"]["name"] . " already exists. ";
    }
    else
    {
      move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $_FILES["file"]["name"]);
$var="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$samp=str_shuffle($var);
$pass=substr($samp,0,20);// creating a random text for file name.
$ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
$ext=".{$ext}";
$newfilename="upload/".$pass.$ext;
rename("upload/".$_FILES["file"]["name"],$newfilename );
    echo "Stored in: " . $newfilename;
echo "<br>extension : ".$ext;
  }
}
}
else
  echo "File size is too large..";
?>
  • 写回答

1条回答 默认 最新

  • dongzhenju3015 2012-01-07 05:31
    关注

    Potentially, yes.

    What would happen if someone uploaded a PHP file? Would they be able to determine the filename, file URL, and run the PHP file?

    If so, that program could use the scandir() function to get a list of all your filenames.

    To prevent this, you could store the files outside DocumentRoot path, refuse to accept .php files, or use .htaccess to turn the PHP engine off in that directory.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 cad图纸,chx-3六轴码垛机器人
  • ¥15 移动摄像头专网需要解vlan
  • ¥20 access多表提取相同字段数据并合并
  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算
  • ¥15 powerbuilder中的datawindow数据整合到新的DataWindow
  • ¥20 有人知道这种图怎么画吗?
  • ¥15 pyqt6如何引用qrc文件加载里面的的资源
  • ¥15 安卓JNI项目使用lua上的问题
  • ¥20 RL+GNN解决人员排班问题时梯度消失