gin: 文件上传
Allowing a visitor to upload files to a site may be required for many reasons: for example, to provide users with the ability to add profile pictures, or allow site owners to upload new images without touching HTML or CSS. FTP can be used by web developers to upload files, but it is insecure, and most visitors need a much more user-friendly method.
出于多种原因,可能需要允许访问者将文件上传到网站:例如,为用户提供添加个人资料图片的能力,或允许网站所有者上传新图片而无需触摸HTML或CSS 。 Web开发人员可以使用FTP上传文件,但这是不安全的,大多数访问者都需要一种更加用户友好的方法。
File uploads present a major potential attack vector for misuse of a site. There are essentially three central security concerns:
文件上传是滥用网站的主要潜在攻击手段。 本质上存在三个中心安全问题:
Making sure that the user is uploading the right kind of file. (We may want to accept JPEG, GIF or PNG images, for example, but not Word documents, .tif or .avi files)
确保用户正在上载正确类型的文件。 (例如,我们可能要接受JPEG , GIF或PNG图像,但不接受Word文档, .tif或.avi文件)
Determining that the user is uploading the right size of file, both in terms of binary data and (in the case of images) resolution and/or aspect ratio.
确定用户正在上传正确大小的文件,无论是二进制数据还是(对于图像而言)分辨率和/或纵横比。
Determining that the file has an acceptable file name, and is saved in the correct location on the server.
确定该文件具有可接受的文件名 ,并保存在服务器上的正确位置。
We need to be as careful as possible in this process: allowing users to upload files to your server is essentially equivalent to leaving the door to your home open.
在此过程中,我们需要尽可能地小心:允许用户将文件上传到您的服务器,实质上等同于打开您的家门。
It is important to note that file uploads from a web page consist of two sides that we must code: the client-side interface (what the user sees and interacts with) and the server-side process of transferring the file. (If this sounds unfamiliar, you will probably want to read up of the concept of client-side vs. server side processing). Appropriate security should be on both sides of this process.
重要的是要注意,从网页上载文件包含两个必须编写的方面:客户端界面(用户看到并与之交互)和服务器端传输文件的过程。 (如果这听起来很陌生,您可能想要阅读客户端与服务器端处理的概念)。 在此过程的两面都应有适当的安全性。
The server-side processing is usually PHP. The client side is usually a combination of HTML and (sometimes) JavaScript. It’s also notable that HTML5 has a File API that interfaces with JavaScript to allow features like file drag-and-drop, or multiple file uploads, which we will get to eventually.
服务器端处理通常是PHP 。 客户端通常是HTML和(有时) JavaScript的组合。 同样值得注意的是,HTML5具有File API,该API与JavaScript接口,以允许诸如文件拖放或多个文件上传之类的功能,最终我们将使用这些功能。
We’ll start with the HTML side of file uploads.
注意 (Note)
It should be noted that in some cases file uploads might not be required for a site at all: for example, it may be easier to gain details of a user’s Flickr account and get access to their images via an RSS feed from that service rather than having the user redundantly upload the same images to your site. Similarly, it may be easier to use Facebook’s system for adding comments to a site, which automatically includes FB profile pictures, rather than building your own.
应该注意的是,在某些情况下,某个网站可能根本不需要文件上传:例如,从该服务而不是通过RSS提要获取用户Flickr帐户的详细信息并访问其图像可能更容易。让用户多余地将相同的图像上传到您的网站。 同样,使用Facebook的系统向网站添加评论可能更容易, 该网站会自动包含FB个人资料图片,而不是构建自己的图片。
翻译自: https://thenewcode.com/390/Uploading-Files-Introduction
gin: 文件上传
624
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
