php判断上传文件文件类型的安全方法
在使用 php 进行文件的上传和存储时,很多人都会给文件进行重名命并保存到可写文件夹下,然后我们在其中一个失误的地方便是采用上传文件的扩展名作为判断文件类型的依据。
这样做其实与后门大开无异,举一个简单的例子,通过扩展名判断一般是字符串的截取判断,或者是使用$_FILE数组判断,然后如果用户上传的文件名为 image.php.png, image.png.php, image.php%****.png 之类的话,判断就会出错。
另外,$_FILES['type']可能被篡改。
下面是我判断文件名的方法:
读取文件头四个字节作为判断。
下面直接上代码
我实现的是仅支持word和pdf文件,且文件大小小于512kb:
$tmpname = $_FILES ['userfile'] ['tmp_name'];
if(is_uploaded_file($tmpname)) {
$mimetype = detectMIME($tmpname);
$tuozhanming = getFileExt($filename, $mimetype);
if($tuozhanming == "type_error"){
echo '仅支持word和pdf文件,且文件大小小于512kb:<a href=".%24reurl.">请重试</a>';
exit();
}
}else{
$_FILES ['userfile'] ['error'] = 6;
}
if ($_FILES ['userfile'] ['error'] > 0) {
echo 'Problem: ';
switch ($_FILES ['userfile'] ['error']) {
case 1 :
echo '上传文件过大:<a href=".%24reurl.">请重试</a>';
break;
case 2 :
echo '上传文件过大:<a href=".%24reurl.">请重试</a>';
break;
case 3 :
echo '文件上传丢失:<a href=".%24reurl.">请重试</a>';
break;
case 4 :
echo '无文件被上传:<a href=".%24reurl.">请重试</a>';
break;
case 6 :
echo '仅支持word和pdf文件,且文件大小小于512kb:<a href=".%24reurl.">请重试</a>';
break;
case 7 :
echo '上传文件存储失败:<a href=".%24reurl.">请重试</a>';
break;
}
exit ();
}
//判断文件类型
//上传文件
$_FILES ['userfile'] ['name'] = time () . "." . $tuozhanming;
$upfile = '../uploads/' . $_FILES ['userfile'] ['name'];
if ( !move_uploaded_file ( $_FILES ['userfile'] ['tmp_name'], $upfile )) {
echo 'Problem: 文件移动失败';
exit ();
}
}
function detectMIME($filename) {
$file = fopen ( $filename, "rb" );
$finfo = finfo_open ( FILEINFO_MIME );
if (! $finfo) {
// 直接读取文件的前4个字节,根据硬编码判断
$file = fopen ( $filename, "rb" );
$bin = fread ( $file, 4 ); //只读文件头4字节
fclose ( $file );
$strInfo = @unpack ( "C4chars", $bin );
//dechex() 函数把十进制转换为十六进制。
$typeCode = dechex ( $strInfo ['chars1'] ) .
dechex ( $strInfo ['chars2'] ) .
dechex ( $strInfo ['chars3'] ) .
dechex ( $strInfo ['chars4'] );
$type = '';
switch ($typeCode) //硬编码值查表
{
case "504b34" :
$type = 'application/zip; charset=binary';
break;
case "d0cf11e0" :
$type = 'application/vnd.ms-office; charset=binary';
break;
case "25504446" :
$type = 'application/pdf; charset=binary';
break;
default :
$type = 'application/vnd.ms-office; charset=binary';
break;
}
} else {
//finfo_file return information of a file
$type = finfo_file ( $finfo, $filename );
}
return $type;
function getFileExt($filename, $type) {
switch ($type) {
case "application/zip; charset=binary" :
$extType = "docx";
break;
case "application/vnd.ms-office; charset=binary" :
$extType = "doc";
break;
case "application/msword; charset=binary" :
$extType = "doc";
break;
case "application/pdf; charset=binary" :
$extType = "pdf";
break;
default :
$extType = "type_error";
break;
}
return $extType;
}
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
Implement file upload and download in Workerman documents
Nov 08, 2023 pm 06:02 PM
To implement file upload and download in Workerman documents, specific code examples are required. Introduction: Workerman is a high-performance PHP asynchronous network communication framework that is simple, efficient, and easy to use. In actual development, file uploading and downloading are common functional requirements. This article will introduce how to use the Workerman framework to implement file uploading and downloading, and give specific code examples. 1. File upload: File upload refers to the operation of transferring files on the local computer to the server. The following is used
How to use Laravel to implement file upload and download functions
Nov 02, 2023 pm 04:36 PM
How to use Laravel to implement file upload and download functions Laravel is a popular PHP Web framework that provides a wealth of functions and tools to make developing Web applications easier and more efficient. One of the commonly used functions is file upload and download. This article will introduce how to use Laravel to implement file upload and download functions, and provide specific code examples. File upload File upload refers to uploading local files to the server for storage. In Laravel we can use file upload
How to solve Java file upload exception (FileUploadException)
Aug 18, 2023 pm 12:11 PM
How to solve Java file upload exception (FileUploadException). One problem that is often encountered in web development is FileUploadException (file upload exception). It may occur due to various reasons such as file size exceeding limit, file format mismatch, or incorrect server configuration. This article describes some ways to solve these problems and provides corresponding code examples. Limit the size of uploaded files In most scenarios, limit the file size
How to use gRPC to implement file upload in Golang?
Jun 03, 2024 pm 04:54 PM
How to implement file upload using gRPC? Create supporting service definitions, including request and response messages. On the client, the file to be uploaded is opened and split into chunks, then streamed to the server via a gRPC stream. On the server side, file chunks are received and stored into a file. The server sends a response after the file upload is completed to indicate whether the upload was successful.
How to implement FTP file upload progress bar using PHP
Jul 30, 2023 pm 06:51 PM
How to use PHP to implement FTP file upload progress bar 1. Background introduction In website development, file upload is a common function. For the upload of large files, in order to improve the user experience, we often need to display an upload progress bar to the user to let the user know the file upload process. This article will introduce how to use PHP to implement the FTP file upload progress bar function. 2. The basic idea of implementing the progress bar of FTP file upload. The progress bar of FTP file upload is usually calculated by calculating the size of the uploaded file and the size of the uploaded file.
File Uploading and Processing in Laravel: Managing User Uploaded Files
Aug 13, 2023 pm 06:45 PM
File Uploading and Processing in Laravel: Managing User Uploaded Files Introduction: File uploading is a very common functional requirement in modern web applications. In the Laravel framework, file uploading and processing becomes very simple and efficient. This article will introduce how to manage user-uploaded files in Laravel, including verification, storage, processing, and display of file uploads. 1. File upload File upload refers to uploading files from the client to the server. In Laravel, file uploads are very easy to handle. first,
PHP file upload guide: How to use the move_uploaded_file function to handle uploaded files
Jul 30, 2023 pm 02:03 PM
PHP file upload guide: How to use the move_uploaded_file function to handle uploaded files In developing web applications, file upload is a common requirement. PHP provides a convenient function move_uploaded_file() for processing uploaded files. This article will introduce you how to use this function to implement the file upload function. 1. Preparation Before starting, make sure that your PHP environment has been configured with file upload parameters. You can do this by opening php.in
Simplify file upload processing with Golang functions
May 02, 2024 pm 06:45 PM
Answer: Yes, Golang provides functions that simplify file upload processing. Details: The MultipartFile type provides access to file metadata and content. The FormFile function gets a specific file from the form request. The ParseForm and ParseMultipartForm functions are used to parse form data and multipart form data. Using these functions simplifies the file processing process and allows developers to focus on business logic.
