防止执行上传的php文件？

In my project users are allowed to upload files of any type. I need to ensure security against execution of uploaded files that can parsed by php (*.php, *.html, etc.)

在我的项目中，用户可以上传任何类型的文件。我需要确保安全性，防止执行上传的文件，这些文件可以通过php解析（* .php，* .html等）

Is there a way to tell apache not to parse any files with php in web/uploads and simply display them as plain text? What are other options?

有没有办法告诉apache不要用web / uploads中的php解析任何文件，只是将它们显示为纯文本？还有什么其他选择？

3 个解决方案

#1

Keep them all under the same folder and set this line in the directory's .htaccess file:

将它们全部保存在同一文件夹下，并在目录的.htaccess文件中设置此行：

php_flag engine off

That will also take care of other exploits such as embedding PHP code in .gif files.

这也将处理其他漏洞，例如在.gif文件中嵌入PHP代码。

#2

You want the Apache SetHandler directive: http://httpd.apache.org/docs/current/mod/core.html#sethandler

您需要Apache SetHandler指令：http：//httpd.apache.org/docs/current/mod/core.html#sethandler

This lets you force all files in a directory to be processed by a certain handler. So something along the lines of:

这使您可以强制某个处理程序处理目录中的所有文件。所以有些东西：

<Location /web/uploads>
SetHandler None
</Location>

should do what you want.

应该做你想做的事。

#3

why not just rename the file extensions upon upload to .phps?

为什么不在上传到.phps时重命名文件扩展名？

To clarify PHPS is the source code view of a PHP file:

澄清PHPS是PHP文件的源代码视图：

To clarify:

澄清：

file.php => file.phps

file.php => file.phps

quick google example:

快速谷歌示例：

http://filext.com/file-extension/PHPS
http://filext.com/file-extension/PHPS

#1