验证上传文件的类型
通过验证后缀名不是一个好办法,因为看见别人使用过将木马的后缀名改为.jpg。然后入侵的例子
那么有没有一个更加安全的方法来验证上传文件的正确类型呢?
------解决方案--------------------
复制粘贴
最烂的方法就是通过$_FILES[...]['type']来检测上传文件的类型,因为只需简单修改文件扩展名就可以伪造它。
另一个相对安全点的方法是通过文件头两个字节的内容来判断上传文件的类型,例子代码如下:
$handle = fopen($_FILES[...]['tmp_name'], 'rb');
$content = fread($handle, 2);
fclose($handle);
$info = unpack('c2chars', $content);
if (emptyempty($info['chars1']) || emptyempty($info['chars2'])) {
exit('Error!');
}
if ($info['chars1'] $info['chars1'] += 256;
}
if ($info['chars2'] $info['chars2'] += 256;
}
$code = $info['chars1'] . $info['chars2'];
PHP中的pack&unpack函数很炫,有兴趣的可以看:Handling binary data in PHP with pack() and unpack()
注:网上搜索的大多数相关的程序没有做256的相关操作,这是我通过试验数据自己意淫的TDD结果,不肯定是否一定正确,读者自己斟酌。
通过switch判断$code变量,就可以对应到文件类型,常见的图片类型结果大致如下:
GIF:7173
JPG:255216
PNG:13780
当然也可以判断其他的文件类型,自己做做试验就知道数值大小了。但此方法也不是一定安全的,因为前两个字节的内容也是可以伪造的,所以最好还要限制一下文件的扩展名,以防意外的解析,比如说,你创建一个名为foobar.php的文件,内容如下:
GIF89
当你使用前两个字节去检测文件类型的时候,就会得出GIF:7173的结果,即便使用shell下的file命令去检测,一样会误认为是GIF图片:
# file foobar.php
foobar.php: GIF image data 16188 x 26736
由于扩展名是.php,那么此文件就被php引擎解析了,如此一来就给了黑客一个web shell,安全也就无从谈起了。所以说限制文件扩展名非常重要,切记!至于已经如何发现这类伪装,最简单的方法是在用shell命令过滤一遍:
# strings foobar.php | grep -i "
如果想彻底屏蔽此类危险,可以考虑使用gd,imagemagick,graphicsmagick等工具把用户上传的图片进行必要的编辑后再转存,这样就能抹去可能的嵌入代码。如果想更安全点,还应该把图片服务器独立出来,不装php,只解析静态文件。
补充:如果仅仅是判断图片的话,还有一个更简单方法,那就是getimagesize,这个方法虽然从名字上看是用来取得图片大小的,但结果里包含了图片类型,另外,虽然这个方法在文档里被归纳在GD部分,但是即便没有安装GD,也是可用的,不过和前面一样,也要注意安全问题。
How to make PHP applications fasterMay 12, 2025 am 12:12 AMTomakePHPapplicationsfaster,followthesesteps:1)UseOpcodeCachinglikeOPcachetostoreprecompiledscriptbytecode.2)MinimizeDatabaseQueriesbyusingquerycachingandefficientindexing.3)LeveragePHP7 Featuresforbettercodeefficiency.4)ImplementCachingStrategiessuc
PHP Performance Optimization Checklist: Improve Speed NowMay 12, 2025 am 12:07 AMToimprovePHPapplicationspeed,followthesesteps:1)EnableopcodecachingwithAPCutoreducescriptexecutiontime.2)ImplementdatabasequerycachingusingPDOtominimizedatabasehits.3)UseHTTP/2tomultiplexrequestsandreduceconnectionoverhead.4)Limitsessionusagebyclosin
PHP Dependency Injection: Improve Code TestabilityMay 12, 2025 am 12:03 AMDependency injection (DI) significantly improves the testability of PHP code by explicitly transitive dependencies. 1) DI decoupling classes and specific implementations make testing and maintenance more flexible. 2) Among the three types, the constructor injects explicit expression dependencies to keep the state consistent. 3) Use DI containers to manage complex dependencies to improve code quality and development efficiency.
PHP Performance Optimization: Database Query OptimizationMay 12, 2025 am 12:02 AMDatabasequeryoptimizationinPHPinvolvesseveralstrategiestoenhanceperformance.1)Selectonlynecessarycolumnstoreducedatatransfer.2)Useindexingtospeedupdataretrieval.3)Implementquerycachingtostoreresultsoffrequentqueries.4)Utilizepreparedstatementsforeffi
Simple Guide: Sending Email with PHP ScriptMay 12, 2025 am 12:02 AMPHPisusedforsendingemailsduetoitsbuilt-inmail()functionandsupportivelibrarieslikePHPMailerandSwiftMailer.1)Usethemail()functionforbasicemails,butithaslimitations.2)EmployPHPMailerforadvancedfeatureslikeHTMLemailsandattachments.3)Improvedeliverability
PHP Performance: Identifying and Fixing BottlenecksMay 11, 2025 am 12:13 AMPHP performance bottlenecks can be solved through the following steps: 1) Use Xdebug or Blackfire for performance analysis to find out the problem; 2) Optimize database queries and use caches, such as APCu; 3) Use efficient functions such as array_filter to optimize array operations; 4) Configure OPcache for bytecode cache; 5) Optimize the front-end, such as reducing HTTP requests and optimizing pictures; 6) Continuously monitor and optimize performance. Through these methods, the performance of PHP applications can be significantly improved.
Dependency Injection for PHP: a quick summaryMay 11, 2025 am 12:09 AMDependencyInjection(DI)inPHPisadesignpatternthatmanagesandreducesclassdependencies,enhancingcodemodularity,testability,andmaintainability.Itallowspassingdependencieslikedatabaseconnectionstoclassesasparameters,facilitatingeasiertestingandscalability.
Increase PHP Performance: Caching Strategies & TechniquesMay 11, 2025 am 12:08 AMCachingimprovesPHPperformancebystoringresultsofcomputationsorqueriesforquickretrieval,reducingserverloadandenhancingresponsetimes.Effectivestrategiesinclude:1)Opcodecaching,whichstorescompiledPHPscriptsinmemorytoskipcompilation;2)DatacachingusingMemc
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
Dreamweaver Mac version
Visual web development tools
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
SublimeText3 English version
Recommended: Win version, supports code prompts!
WebStorm Mac version
Useful JavaScript development tools
