问题
Laravel basically have following below functions for input type file.
// Determine if a file was uploaded
Input::hasFile('filename');
// Access file properties
Input::file('name')->getRealPath();
Input::file('name')->getClientOriginalName();
Input::file('name')->getClientOriginalExtension();
Input::file('name')->getSize();
Input::file('name')->getMimeType();
If i use getClientOriginalExtension to find correct image extension, getSize to restrict file upload size & getMimeType to check the mimetype of image.
Am i secured ? And can have faith on function that , it will not be exploited by hacker in any way.
Considering a fact, that i will be only uploading image.
Update : Follow below URL for File Uploading Securely with Core PHP :
http://php.w3clan.com/tutorial/47/form-handling-secure-uploading
or Just use file validation in rule as per Laravel
$rule = [ 'name' => 'image' ];
回答1:
Seems pretty secure to me.
If you only intend to upload images, you can do this:
$rules [
...
'file' => 'required|image' // Assuming it's required, otherwise leave that out
]
See the image validation rule
If you want to further restrict which extensions are allowed, you can specify an array with the extensions you allow, and then check Input::file('file')->getClientOriginalExtension() against it. Although this can be spoofed, so it's better to specify which mime types are allowed instead.
If you for example only want to allow .png and .gif files, you use:
$allowedMimes = [
'image/gif',
'image/png'
];
And then check using ->getMimeType()
来源:https://stackoverflow.com/questions/27646204/is-laravel-file-uploading-secure-if-considered-only-image