发表新帖
发表新帖

Should uploaded files be renamed?

前端 未结
关注
3 1541
天命终不由人
天命终不由人 2020-12-11 04:52

I\'ve been reading up on PHP file upload security and a few articles have recommended renaming the files. For example, the OWASP article Unrestricted File Upload says:

3条回答
  • 离开以前
    离开以前 (楼主)
    2020-12-11 05:42

    When I upload files I use PHP's unique_id() function for the filename that is stored on the server (and I preserve the file extension since it makes it easier for me when I am looking at all the files in the storage directory via the local file system).

    I save the file outside of the website file system (aka you can never browse directly to the files).

    I always use php's move_uploaded_file() function to save the file to the server.

    I store the original filename, the path/filename where it is stored, and any other project related information you might need about who uploaded it, etc in a database.

    In some of my implementations I also create a hash of the file contents and save that in the database too. Then with other uploaded files look in the database to see if I have a copy of that exact file already stored.

    Some code examples:

    The form:

     form method="post" enctype="multipart/form-data" action="your_form_handler.php">

    The form handler:

      0){
            $data_storage_path = '/path/to/file/storage/directory/';
            $original_filename = $file['name'];
            $file_basename     = substr($original_filename, 0, strripos($original_filename, '.')); // strip extention
            $file_ext          = substr($original_filename, strripos($original_filename, '.'));
            $file_md5_hash     = md5_file($file['tmp_name']);
            $stored_filename   = uniqid();
            $stored_filename  .= $file_ext;                        
            if(! move_uploaded_file($file['tmp_name'], $data_storage_path.$stored_filename)){
                 // unable to move,  check error_log for details
                 return 0;
            }
            // insert a record into your db using your own mechanism ...
            // $statement = "INSERT into yourtable (original_filename, stored_filename, file_md5_hash, username, activity_date) VALUES (?, ?, ?, ?, NOW())";

            // success, all done
            return 1;
        }
    }    
    return 0;
}

?>

    Program to handle download requests

    If you want to present the download in the same page that the user is requesting it from then look at my answer to this post: Dowloading multiple PDF files from javascript

    0 讨论(0)
 看不清?
提交回复
热议问题