php&中的安全风险jquery文件上传

时间:2017-11-14 06:15:25

标签: php jquery jquery-upload-file-plugin

我有以下代码用于jquery文件上传和调整大小图像。在我以前的一篇帖子中,另一位用户告诉他们存在安全风险。这是代码:

<?php
$output_dir = "../images/img_user/";
if(isset($_FILES["file"]) && !empty($_FILES["file"]))
{
    $ret = array();
    $error =$_FILES["file"]["error"];
    if(!is_array($_FILES["file"]["name"])) //single file
    {
        $fileName = $_FILES["file"]["name"];
        move_uploaded_file($_FILES["file"]["tmp_name"],$output_dir.$fileName);
        //img resize
        require 'imgclass.php';
        $resize_image = new Zebra_Image();
        $resize_image->preserve_aspect_ratio = true;
        $resize_image->source_path = $output_dir.$fileName;
        $ext = trim("$fileName");
        $resize_image->target_path = '../images/img_user/'.$ext;
        if (!$resize_image->resize(128, 128, ZEBRA_IMAGE_NOT_BOXED, 1))
        {
            // if there was an error, let's see what the error is about
            switch ($resize_image->error) {
                case 1:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Image file could not be found!";
                    echo json_encode($custom_error);
                    die();
                case 2:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Image file is not readable!";
                    echo json_encode($custom_error);
                    die();
                case 3:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Could not write target file!";
                    echo json_encode($custom_error);
                    die();
                case 4:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Unsupported image file format!";
                    echo json_encode($custom_error);
                    die();
                case 5:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Unsupported target file format!";
                    echo json_encode($custom_error);
                    die();
                case 6:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="GD library version does not support target file format!";
                    echo json_encode($custom_error);
                    die();
                case 7:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="GD library is not installed!";
                    echo json_encode($custom_error);
                    die();
            }//end switch
        }//end resize error
        //end resize
        $ret[]= $fileName;
    }
    echo json_encode($ret);
}
?>

我正在使用以下库:

http://hayageek.com/docs/jquery-upload-file.php

我创建了一个htaccess文件,以防止在上传文件夹中执行代码。文件夹权限为755,文件chmod为640.

另一位用户Xorifelse评论如下: “此外,move_uploaded_file($_FILES["file"]["tmp_name"],$output_dir.$‌​fileName);的安全风险也来自2000年左右。安全措施已过时17年。是的,您允许我们毫不费力地将PHP文件上传到您的网络服务器。”

如果是这样,涉及的安全问题是什么?如何防止它?我是新手程序员。

0 个答案:

没有答案
相关问题
最新问题