php realpath()返回一个空白字符串 [英] php realpath() returns a blank string
本文介绍了php realpath()返回一个空白字符串的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
在这篇文章的指导下预防目录在PHP中遍历,但允许路径我试图阻止目录遍历,但是我遇到了一些奇怪的事情,在第一个实例中,realpath返回一个好的路径
Guided by this post Preventing Directory Traversal in PHP but allowing paths I am trying to prevent directory traversal, but I am experiencing something odd, in the first instance realpath returns a good path
$fPath = $path.$parent.'/'.$name;
//$name (the user input) in this sample is "fff", $parent is an empty string
//make sure user didn't try to traverse backwards on the basepath
$basepath = $path;
$realBase = realpath($basepath);
echo $realBase."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages
$userpath = $fPath;
echo $userpath."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages/fff
$realUserPath = realpath($userpath);
echo $realUserPath."<br/>";
//gives blank (an empty string).
任何id为什么?
推荐答案
像AbraCadaver在评论中说,这只有在dir存在的情况下才有效。为了验证/清理用户提供的dir,您将需要一些规则,清理或拒绝它。
Like AbraCadaver said in comment, "This only works if the dir exists. To validate/sanitize the user supplied dir you will need some rules and clean it or reject it."
这篇关于php realpath()返回一个空白字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文