清理PHP中的文件路径 [英] Sanitize file path in PHP

问题描述

问候， 我希望使我的小程序更安全，以使潜在的恶意用户无法查看服务器上的敏感文件.

Greetings, I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server.

    $path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}";


    if(file_exists($path)) {
        echo file_get_contents($path);
    } else {
        header('HTTP/1.1 404 Not Found');
    }

我不知道该怎么办，我知道诸如"../../../../../../etc/passwd"之类的输入很麻烦，但我想知道我还应该输入哪些其他恶意输入期望以及如何预防它们.

Off the top of my head I know that input such as '../../../../../../etc/passwd' would be trouble, but wondering what other malcious inputs I should expect and how to prevent them.

推荐答案

realpath( )可让您将任何可能包含相对信息的路径转换为绝对路径...然后您可以确保该路径位于您要允许下载的某个子目录下.

realpath() will let you convert any path that may contain relative information into an absolute path...you can then ensure that path is under a certain subdirectory that you want to allow downloads from.

这篇关于清理PHP中的文件路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！