Ways to stop people from uploading GIFs with injections in them?

后端 未结 7 662
无人共我
无人共我 2021-02-01 06:36

I have a PHP website where people can fill out help-tickets. It allows them to upload screenshots for their ticket. I allow gif, psd, bmp, jpg, png, tif to be uploaded. Upon

7条回答
  •  夕颜
    夕颜 (楼主)
    2021-02-01 07:27

    On very usefull tip to prevent problems with injected PHP came from my host's system admin: I have a site where people can uploaded their own content. I wanted to make sure the directory where uploaded images are served from doesn't run any PHP. That way someone could even post a picture named "test.php" and it would still NEVER be parsed by PHP if it was in the upload directory. The solution was simple: In the folder the uploaded content is served from put the following .htacess:

    RewriteEngine On
    RewriteRule \.$ - [NC]
    php_flag engine off
    

    This will switch off the PHP engine for the folder, thus stopping any attempt to launch any PHP to exploit server side vulnerabilities.

提交回复
热议问题