WordPress为了出于安全考虑我们必须限制后台的上传文件类型,防患于未然。官方提供了很好的过滤器API
http://codex.wordpress.org/Plugin_API/Filter_Reference/upload_mimes
示范例子
|
add_filter('upload_mimes', 'custom_upload_mimes'); function custom_upload_mimes ( $existing_mimes=array() ) { unset ($existing_mimes);//注销数组变量 $existing_mimes['jpg']='image/jpeg'; $existing_mimes['png']='image/png'; $existing_mimes['bmp']='image/bmp'; $existing_mimes['gif']='image/gif'; return $existing_mimes; } |
上边是注销上传类型,下边增加可上传类型:
|
//增加可上传类型 add_filter('upload_mimes', 'custom_upload_mimes'); function custom_upload_mimes ( $existing_mimes=array() ) { $existing_mimes['rar'] = 'application/octet-stream'; $existing_mimes['zip'] = 'application/zip'; $existing_mimes['7z'] = 'application/octet-stream'; return $existing_mimes; } |
如上代码所示,只允许用户上传jpg,gif,png,bmp的格式文件,其他格式是禁止的也起到一个安全作用。当然要想真正进一步加强后台的安全系数还需要把在线主题安装、插件安装、主题编辑等这些能直接操作文件的地方删掉。下面列出一些文件的类型,如果自己需要添加其他上传文件类型可以参照下表,比如要允许php文件上传,只需在上面增加一个数组变量就可以了:$existing_mimes['php']=’application/octet-stream’;
当然不推荐允许上传php文件。
该对应表包含:
- php上传图片文件(gif,jpg,bmp,png,psd,ico)
- php上传压缩文件(rar,7z,zip)
- php上传可执行文件(exe)
- php上传视频文件,音乐文件,歌词文件(avi,rmvb,3gp,flv,mp3,wav,krc,lrc)
- php上传文本文件和文档文件(word->doc,excel->xls,幻灯片->ppt,pdf,chm)
- php上传数据库文件(access文件,sql文件,con文件,日志文件log, dat文件)
- php上传网页文件,脚本文件,字体文件(ini,php,html,htm,字体文件:ttf,fon, js ,xml)
- php上传其他文件(class类文件,dll动态加载库文件)
PHP文件上传类型
ie |
火狐 |
id |
后缀名 |
php识别出的文件类型 |
0 |
gif |
image/gif |
1 |
jpg |
image/jpeg |
2 |
png |
image/png |
3 |
bmp |
image/bmp |
4 |
psd |
application/octet-stream |
5 |
ico |
image/x-icon |
6 |
rar |
application/octet-stream |
7 |
zip |
application/zip |
8 |
7z |
application/octet-stream |
9 |
exe |
application/octet-stream |
10 |
avi |
video/avi |
11 |
rmvb |
application/vnd.rn-realmedia-vbr |
12 |
3gp |
application/octet-stream |
13 |
flv |
application/octet-stream |
14 |
mp3 |
audio/mpeg |
15 |
wav |
audio/wav |
16 |
krc |
application/octet-stream |
17 |
lrc |
application/octet-stream |
18 |
txt |
text/plain |
19 |
doc |
application/msword |
20 |
xls |
application/vnd.ms-excel |
21 |
ppt |
application/vnd.ms-powerpoint |
22 |
pdf |
application/pdf |
23 |
chm |
application/octet-stream |
24 |
mdb |
application/msaccess |
25 |
sql |
application/octet-stream |
26 |
con |
application/octet-stream |
27 |
log |
text/plain |
28 |
dat |
application/octet-stream |
29 |
ini |
application/octet-stream |
30 |
php |
application/octet-stream |
31 |
html |
text/html |
32 |
htm |
text/html |
33 |
ttf |
application/octet-stream |
34 |
fon |
application/octet-stream |
35 |
js |
application/x-javascript |
36 |
xml |
text/xml |
37 |
dll |
application/octet-stream |
38 |
dll |
application/octet-stream |
|
id |
后缀名 |
php识别出的文件类型 |
0 |
gif |
image/gif |
1 |
jpg |
image/pjpeg |
2 |
png |
image/x-png |
3 |
bmp |
image/bmp |
4 |
psd |
application/octet-stream |
5 |
ico |
image/x-icon |
6 |
rar |
application/octet-stream |
7 |
zip |
application/x-zip-compressed |
8 |
7z |
application/octet-stream |
9 |
exe |
application/octet-stream |
10 |
avi |
video/avi |
11 |
rmvb |
application/vnd.rn-realmedia-vbr |
12 |
3gp |
application/octet-stream |
13 |
flv |
application/octet-stream |
14 |
mp3 |
audio/mpeg |
15 |
wav |
audio/wav |
16 |
krc |
application/octet-stream |
17 |
lrc |
application/octet-stream |
18 |
txt |
text/plain |
19 |
doc |
application/msword |
20 |
xls |
application/vnd.ms-excel |
21 |
ppt |
application/vnd.ms-powerpoint |
22 |
pdf |
application/pdf |
23 |
chm |
application/octet-stream |
24 |
mdb |
application/msaccess |
25 |
sql |
text/plain |
26 |
con |
application/octet-stream |
27 |
log |
text/plain |
28 |
dat |
text/plain |
29 |
ini |
application/octet-stream |
30 |
php |
application/octet-stream |
31 |
html |
text/html |
32 |
htm |
text/html |
33 |
ttf |
application/octet-stream |
34 |
fon |
application/octet-stream |
35 |
js |
text/html |
36 |
xml |
text/xml |
37 |
dll |
application/octet-stream |
38 |
class |
application/java |
|