所以我有这个文件上传系统,它应该只接受$allowedExts中的文件类型,但有人不断用一个名为 angel.jpg.php 的文件破坏系统。我认为他已经改变了哑剧类型,但我仍然想知道他是如何违反扩展检查的。帮助将不胜感激。提前谢谢。
<?php
$allowedExts = array("gif", "jpeg", "jpg", "png", "bmp", "doc", "pages", "docx", "pdf","ppt","pptx","xls","xlsx");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
$extension2 = pathinfo($target_file,PATHINFO_EXTENSION);
if (($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png")
|| ($_FILES["file"]["type"] == "image/bmp")
|| ($_FILES["file"]["type"] == "application/msword")
|| ($_FILES["file"]["type"] == "application/x-iwork-pages-sffpages")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")
|| ($_FILES["file"]["type"] == "application/pdf")
|| ($_FILES["file"]["type"] == "application/vnd.ms-powerpoint")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.presentationml.presentation")
|| ($_FILES["file"]["type"] == "application/excel")
|| ($_FILES["file"]["type"] == "application/vnd.ms-excel")
|| ($_FILES["file"]["type"] == "application/x-excel")
|| ($_FILES["file"]["type"] == "application/x-msexcel")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet")
&& in_array($extension, $allowedExts) && in_array($extension2, $allowedExts) && getimagesize($_FILES["file"]["name"])!=='FALSE')
{
// Upload file
}
else {
// Do not upload file
}
因为没有人添加更多有用的提示。
我决定自己搜索它们。
我在各种网站上找到了一些很好的提示。
以下是其中的两个:
http://hungred.com/useful-information/secure-file-upload-check-list-php/http://nullcandy.com/php-image-upload-security-how-not-to-do-it/