清理PHP中的文件路径 [英] Sanitize file path in PHP
问题描述
问候, 我希望使我的小程序更安全,以使潜在的恶意用户无法查看服务器上的敏感文件.
Greetings, I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server.
$path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}";
if(file_exists($path)) {
echo file_get_contents($path);
} else {
header('HTTP/1.1 404 Not Found');
}
我不知道该怎么办,我知道诸如"../../../../../../etc/passwd"之类的输入很麻烦,但我想知道我还应该输入哪些其他恶意输入期望以及如何预防它们.
Off the top of my head I know that input such as '../../../../../../etc/passwd' would be trouble, but wondering what other malcious inputs I should expect and how to prevent them.
推荐答案
realpath( )可让您将任何可能包含相对信息的路径转换为绝对路径...然后您可以确保该路径位于您要允许下载的某个子目录下.
realpath() will let you convert any path that may contain relative information into an absolute path...you can then ensure that path is under a certain subdirectory that you want to allow downloads from.
这篇关于清理PHP中的文件路径的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!