2

我有以下用于 jquery 文件上传和调整图像大小的代码。在我之前的一篇文章中,另一位用户告诉我这是一个安全风险。这是代码:

<?php
$output_dir = "../images/img_user/";
if(isset($_FILES["file"]) && !empty($_FILES["file"]))
{
    $ret = array();
    $error =$_FILES["file"]["error"];
    if(!is_array($_FILES["file"]["name"])) //single file
    {
        $fileName = $_FILES["file"]["name"];
        move_uploaded_file($_FILES["file"]["tmp_name"],$output_dir.$fileName);
        //img resize
        require 'imgclass.php';
        $resize_image = new Zebra_Image();
        $resize_image->preserve_aspect_ratio = true;
        $resize_image->source_path = $output_dir.$fileName;
        $ext = trim("$fileName");
        $resize_image->target_path = '../images/img_user/'.$ext;
        if (!$resize_image->resize(128, 128, ZEBRA_IMAGE_NOT_BOXED, 1))
        {
            // if there was an error, let's see what the error is about
            switch ($resize_image->error) {
                case 1:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Image file could not be found!";
                    echo json_encode($custom_error);
                    die();
                case 2:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Image file is not readable!";
                    echo json_encode($custom_error);
                    die();
                case 3:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Could not write target file!";
                    echo json_encode($custom_error);
                    die();
                case 4:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Unsupported image file format!";
                    echo json_encode($custom_error);
                    die();
                case 5:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="Unsupported target file format!";
                    echo json_encode($custom_error);
                    die();
                case 6:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="GD library version does not support target file format!";
                    echo json_encode($custom_error);
                    die();
                case 7:
                    $custom_error= array();
                    $custom_error['jquery-upload-file-error']="GD library is not installed!";
                    echo json_encode($custom_error);
                    die();
            }//end switch
        }//end resize error
        //end resize
        $ret[]= $fileName;
    }
    echo json_encode($ret);
}
?>

我正在使用以下库:

http://hayageek.com/docs/jquery-upload-file.php

我创建了一个 htaccess 文件以防止在上传文件夹中执行代码。文件夹权限为 755,文件 chmod 为 640。

另一位用户 Xorifelse 评论说:“而且,安全风险move_uploaded_file($_FILES["file"]["tmp_name"],$output_dir.$‌​fileName);也是从 2000 年左右开始的。安全措施已经过时了 17 年。是的,您允许我们毫不费力地将 php 文件上传到您的网络服务器。”

如果是这样,涉及的安全问题是什么?我该如何预防?我是一个新手程序员。

4

0 回答 0