duangan6731 2013-06-03 21:04
浏览 51

通过php保护上传者文件

I have an uploader in my website and when I use this code to check file type 

if($_FILES['fileToUpload']['type']=='image/jpeg' || $_FILES['fileToUpload']['type']=='image/gif' || $_FILES['fileToUpload']['type']=='image/png' )
 {
     $file_Name = time().".".end(explode(".",$_FILES['fileToUpload']["name"]));
     $_FILES["fileToUpload"]["name"] = $file_Name;
       move_uploaded_file(@$_FILES["fileToUpload"]["tmp_name"], "upload/" . @$_FILES["fileToUpload"]["name"]);
$msg .='Your file was uploaded successfully';
}

but some hacker they can hacked and upload php file , is there any way more security

Note: when I create php file and I change its extinction to .jpg then I upload the file it will be uploaded

  • 写回答

1条回答 默认 最新

  • doue1925 2013-06-03 21:24
    关注

    Yes, it's utterly vulnerable. In $_FILES, the following parameters are under USER control:

    ['type']
['name']

    it is beyond trivial to forge an upload, allowing such things as:

    ['type'] = 'image/jpeg';
['name'] = 'nasty_hacking_script.php';

    and boom, they're through your (laughable) security. Since you're allowing the user-defined file extension to get through your system, and only doing a trivial time-based renaming, you'll end up with something like

     1234567890.php

    in your site's document root. Given the name is time-based, it's also trivial for the attacker to simply poke at your server and guess what the exact time-of-upload was, e.g.

     for($i = 1234567800; $i <= 124000000; $i++) {
     see_if_url_exists("$i.php");
 }

    until they find their script. Now they have TOTAL control of your site, and most likely the server as well.

    In short, your code provides about as much security as a piece of wet toilet paper. It is BEYOND dangerous.

    评论

报告相同问题?

悬赏问题

  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 下图接收小电路,谁知道原理
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测