Prevent execution of uploaded php files?

前端 未结 3 1795
星月不相逢
星月不相逢 2021-01-01 00:13

In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)

相关标签:
3条回答
  • 2021-01-01 00:39

    why not just rename the file extensions upon upload to .phps?

    To clarify PHPS is the source code view of a PHP file:

    To clarify:

    file.php => file.phps

    quick google example:

    • http://filext.com/file-extension/PHPS
    0 讨论(0)
  • 2021-01-01 00:40

    Keep them all under the same folder and set this line in the directory's .htaccess file:

    php_flag engine off
    

    That will also take care of other exploits such as embedding PHP code in .gif files.

    0 讨论(0)
  • 2021-01-01 00:41

    You want the Apache SetHandler directive: http://httpd.apache.org/docs/current/mod/core.html#sethandler

    This lets you force all files in a directory to be processed by a certain handler. So something along the lines of:

    <Location /web/uploads>
    SetHandler None
    </Location> 
    

    should do what you want.

    0 讨论(0)
提交回复
热议问题