php realpath（）返回一个空白字符串 [英] php realpath() returns a blank string

问题描述

在这篇文章的指导下预防目录在PHP中遍历，但允许路径我试图阻止目录遍历，但是我遇到了一些奇怪的事情，在第一个实例中，realpath返回一个好的路径

Guided by this post Preventing Directory Traversal in PHP but allowing paths I am trying to prevent directory traversal, but I am experiencing something odd, in the first instance realpath returns a good path

        $fPath = $path.$parent.'/'.$name;
//$name (the user input) in this sample is "fff", $parent is an empty string        

        //make sure user didn't try to traverse backwards on the basepath           
        $basepath = $path;
        $realBase = realpath($basepath);
echo $realBase."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages

        $userpath = $fPath;
echo $userpath."<br/>";
//gives: /Users/me/Documents/www/gallery/php_sample/uploadedImages/fff

        $realUserPath = realpath($userpath);
echo $realUserPath."<br/>";
//gives blank (an empty string).

任何id为什么？

推荐答案

像AbraCadaver在评论中说，这只有在dir存在的情况下才有效。为了验证/清理用户提供的dir，您将需要一些规则，清理或拒绝它。

Like AbraCadaver said in comment, "This only works if the dir exists. To validate/sanitize the user supplied dir you will need some rules and clean it or reject it."

这篇关于php realpath（）返回一个空白字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！