小贝子编程

我只需要阻止人们上传php扩展文件如何

  • 本文关键字:php 扩展 文件 php html curl
  • 更新时间 :
  • 英文 :


我有上传图像的代码,当我尝试使用burpsuite来查看会发生什么时,我可以从这个代码中看到响应,显示了上传的文件夹的位置,我如何在响应中隐藏这一点,这样客户就看不到文件上传到服务器的哪里了,我还可以如何修复,停止上传php文件?当我将方法更改为。内容类型:php/image,文件以.php结尾上传这个代码有什么修复程序吗?

谢谢!

<?php
ini_set('display_errors', 0);
ini_set('error_reporting',0);
include "query_requests.php";
function dd($data)
{
var_dump($data);
die();
}


$target_dir = "uploads2/";
$target_file = $target_dir . basename($_FILES["uploadfile"]["name"]);
$id = $_GET['id'];
$imgName=$id.".".explode('/',$_FILES['uploadfile']["type"])[1];
$imgID = $_GET['imgID'];
$_SESSION['imgext']=explode('/',$_FILES['uploadfile']["type"])[1];
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
$target_file = $target_dir . $id."_pic".".".explode('/',$_FILES['uploadfile']["type"])[1];
if(file_exists($target_file)) {
chmod($target_file,0755); //Change the file permissions if allowed
unlink($target_file); //remove the file
}
$uploadOk = 1;
if (isset($_POST["submit"])) {
$check = getimagesize($_FILES["uploadfile"]["tmp_name"]);
if ($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
$size = $_FILES["uploadfile"]["size"];
if( strcmp($imageFileType,"jpg") == 0  || strcmp($imageFileType,"png") == 0 || strcmp($imageFileType,"jpeg") == 0){

} else{
exit(json_encode(array('success' => false, 'msg' => "", 'ext' =>
$imageFileType, 'size' => $size)));
}
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
} else {
$imagetype = $_FILES['uploadfile']["type"];
if (move_uploaded_file($_FILES["uploadfile"]["tmp_name"], $target_file)) {
$path = realpath($target_file);
$curl = curl_init();

curl_setopt_array($curl, array(
CURLOPT_URL => 'http://',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => '',
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 0,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_HTTPHEADER => array(''),
CURLOPT_POSTFIELDS => array('Image' => new CURLFile($path, $_FILES['uploadfile']["type"], $imgName)),
));

$response = curl_exec($curl);
$resDec=json_decode($response,1);
$ident='';
if($resDec['responseCode']==0){
$ident=str_replace(' ','',$resDec['results']['id']);
$ident=trim($ident);
}
$imageType=$_FILES["uploadfile"]["type"];
$condition = " random_id=:random_id ";
$bind = array('random_id' =>$_GET['id']);
$identity = findFirst('idintities', $condition, $bind)->fetch();
if($identity){
update(array('random_id'=>$id,'json_info'=>$response,'id_num'=>$ident,'img_ext'=>$imageType),$condition,$bind,'idintities');
}else{
insertRequest(array('random_id'=>$id,'json_info'=>$response,'id_num'=>$ident,'img_ext'=>$imageType),'idintities');
}
$validId = $imgID == $ident ? 1: 0;
echo json_encode(array('success' => true, 'size' => $size, 'target' => $target_file, 'validId' => $validId, 'info' => $resDec));
} else {

exit(json_encode(array('success' => false, 'msg' => ""Sorry, there was an error uploading your file.", 'size' => $size)));

}
}
?>

html的代码部分上传文件图像,

(progressBar = document.getElementById("progressBar")), (progressOuter = document.getElementById("progressOuter")), (msgBox = document.getElementById("msgBox"));
var identValid = true;
var btn = document.getElementById("uploadBtn");
var uploader = new ss.SimpleUpload({
button: btn,
url: "upload.php?id=",
name: "uploadfile",
multipart: true,
hoverClass: "hover",
focusClass: "focus",
responseType: "json",
startXHR: function () {
progressOuter.style.display = "block";
this.setProgressBar(progressBar);
},

以下是如何将检查添加到代码中:

$uploadOk = 1;
if (isset($_POST["submit"])) {
$check = getimagesize($_FILES["uploadfile"]["tmp_name"]);
if ($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
$filename = $_FILES['video_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if ($ext == 'php') {
echo 'error: You should not upload PHP files.';
$uploadOk = 0;
}
}

请注意,此代码只查看上载的文件的扩展名。扩展名可以更改,因此它们不一定反映文件的内容。

您的代码有很多问题,我不知道从哪里开始
你需要澄清你想做什么

你应该显示你上传的HTML。

下面是一个应用程序,用户上传图像,图像被转换为webp图像,并传输到PHP脚本,然后保存为.web图像

HTML

<form action="upload.php" method="post" enctype="multipart/form-data">
Upload an Image from your device <br>
<input type="file" name="image1[]" multiple accept="image/png, image/jpeg, image/gif, image/webp" /><br>
<button type="submit">Upload Image(s)</button>

upload.php

if( is_uploaded_file($_FILES['image1']['tmp_name']) || !($_FILES['image1']['error'] !== UPLOAD_ERR_OK)){
$save = false;
switch(strtolower($_FILES['image1']['type'])){
case 'image/jpeg':
$image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'image/png':
$image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'image/gif':
$image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'image/webp':
$image = @imagecreatefromwebp($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
default:
$img = @getimagesize($_FILES['image1']['tmp_name']);
switch(strtolower($img['mime'])){
case 'image/jpeg':
$image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'image/png':
$image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'image/gif':
$image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
default:
$filename = $_FILES['image1']['name'];
$ext = substr($filename,-3);
switch(strtolower($ext)){
case 'jpg':
$image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'ebp':
$image = @imagecreatefromwebp($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'gif':
$image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
case 'png':
$image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
default:
$image = @imagecreatefromjpeg($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
$image = @imagecreatefrompng($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
$image = @imagecreatefromgif($_FILES['image1']['tmp_name']);
if ($image !== false){$save = true;break;}
}
}
if($save){imagewebp($image, $filename,70);}
$post= base64_encode($image);
$curl = curl_init($url);
$request = array();
$request[] = "Content-Type: text/plain" ;
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_HTTPHEADER, $request);
curl_setopt($ch, CURLOPT_ENCODING,"");
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($ch, CURLOPT_TIMEOUT,10);
curl_setopt($ch, CURLOPT_FAILONERROR,true);
curl_setopt($ch, CURLOPT_ENCODING,"");
$response = curl_exec($ch);
echo $response;

接收脚本($url(

$base64 = file_get_contents('php://input');
$image = base64_decode($base64);
$filename = 'image.webp';
file_put_contents($filename,$image)

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium