dpca31461 2015-07-29 17:06
浏览 44

如何保护PHP中的文件上传攻击?

I have file upload script as below (upload.php). As I can guess, someone can write script that sends 1000+ files to upload.php at the small period of time.

So, how to protect myself from numerous file uploads attack?

<?php
    if (!empty($_FILES)) {   
        $ds = DIRECTORY_SEPARATOR;
        $storeFolder = 'uploads';

        $rand_dir = rand(1, 1000);
        $targetPath = realpath(dirname(__FILE__) . '/..') . $ds . $storeFolder . $ds . $rand_dir . $ds;
        $targetPath_clean = $storeFolder . $ds . $rand_dir . $ds;

        if (!file_exists($targetPath))
            mkdir($targetPath, 0777, true);

        $filename = date('YmdHis_') . generateRandomString() . '.' . pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);

        move_uploaded_file($_FILES['file']['tmp_name'], $targetPath . $filename);
        echo $targetPath_clean . $filename;
    } else {
        die('access denied');
    }
?>
  • 写回答

1条回答 默认 最新

  • duanqianhuan3994 2015-07-29 17:09
    关注

    This mainly depends on what you want to achieve.

    If form is anonymous you can use kind of capatcha or limit the file upload from one host (e.g. saving given IP in database and limiting its ability to upload further files). If your script requires user authorization you can limit file upload by given login.

    Please give us more details what is your business logic so we will be able to help you.

    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题