1. 首頁
  2. 問答
  3. 防止起吊文件的htaccess

防止起吊文件的htaccess

2014-10-10 47 views
0

現在,我完成了用PHP創建一個簡單的系統上傳文件,但我需要幫助,請與本我的訂單: 我想一個解決方案來阻止上傳的.htaccess文件我上傳 網站。 等文件(.css.php .html ...)。防止起吊文件的htaccess

PHP代碼

set_time_limit(0); 
require("connect.php"); 
if (isset($_FILES['upload_file'])) { 
    foreach ($_FILES['upload_file']['tmp_name'] as $count=>$upload_file) { 
     if (!empty($_FILES['image']['error'][$count])) { 
      return false; 
     } 
     if (!empty($upload_file)&&is_uploaded_file($upload_file)) { 
      $charset="AHfgG15Ds10MZD58N"; 
      $code=''; 
      $length=15; 
      for ($i=0; $i<=$length; $i++) { 
       $rand=rand()%strlen($charset); 
       $tmp=substr($charset,$rand,1); 
       $code.=$tmp; 
      } 

      $query=mysql_query("SELECT `code` FROM `files` WHERE `code`='$code'") or die(mysql_error()); 
      $numrows=mysql_num_rows($query); 

      while ($numrows!=0) { 
       $code=''; 
       for ($i=0; $i<=$length; $i++) { 
        $rand=rand()%strlen($charset); 
        $tmp=substr($charset,$rand,1); 
        $code.=$tmp; 
       } 
       $query=mysql_query("SELECT `code` FROM `files` WHERE `code`='$code'"); 
       $numrows=mysql_num_rows($query); 
      } 

      mkdir("upload/$code/"); 

      $name=$_FILES['upload_file']['name'][$count]; 
      $type=$_FILES['upload_file']['type'][$count]; 
      $size=$_FILES['upload_file']['size'][$count]; 
      $site_url=('http://localhost'); 
      $url= ("$site_url/download.php?file=$code"); 
      mysql_query("SET NAME utf8 "); 
      $query=mysql_query("INSERT INTO files VALUES ('','$name','$code','$type','$size','$url')"); 
      $url=urlencode($name); 
      $upload=move_uploaded_file($upload_file,"upload/$code/".$name); 
      if ($upload) { ?> 
       <table> 
       <tr> 
       <td><h3>File name</h3></td><td><h3>File Link</h3></td> 
       </tr> 
       <tr> 
       <td><?php echo"$name"; ?></td><td> <?php echo"<a href='http://localhost/downoald.php?file=$code' target='_blanck'>http://localhost/downoald.php?file=$code</a>"; ?></td> 
       </tr> 
       </table> 
      <?php } else { ?> 
       No file selected 
      <?php } 
      } else { 
    echo "Invalid file"; 
     } 
} 
}

請編輯該代碼爲我的需要。

來源

2014-10-10 Mourad Karoudi

+1

您使用的mysql_query是通過文件名SQL注入很成問題的方式。考慮使用準備好的語句。 – edlerd 2014-10-10 19:50:28

回答

0

你可以做某事像

// the list of unallowed file endings, can be extended easily by your needs 
$disallow = array(
    'php', 
    '.htaccess', 
); 
// loop over all disallowed file extensions and name the current one needle 
foreach ($disallow as $needle) { 

    // if the given filename ($name) ends in the current needle we print and error and stop the processing. 
    if (substr($name, -strlen($needle)) === $needle) { 
    echo "Invalid file extension"; 
    exit(); 
    } 
}

來源

2014-10-10 19:53:48 edlerd

+1

添加評論。 – edlerd 2014-10-11 21:05:49

相關問題

 相關問題