不使用$ _FILES ['userFile'] ['name']的basename函数冗余？ [英] Isn't Using the basename function with $_FILES['userFile']['name'] Redundant?

问题描述

根据 POST方法上传 PHP手册， $ _ FILES ['userfile'] ['name'] 是客户端机器上文件的原始名称。该部分中的示例＃2使用 basename $ _ FILES ['userfile'] ['name'] 如下所示：

  $ uploaddir ='/ var / www / uploads /'; 
 $ uploadfile = $ uploaddir。基名（$ _ FILES [ userfile的] [名称]）; 
  

我在本地主机（ Apache 2.2.14，PHP 5.3.1 ，发现以下两行是相同的：

  $ _ FILES ['userFile'] ['名称']; //file.txt
 basename（$ _ FILES ['userFile'] ['name']）; //file.txt
  

也就是说，使用 basename 函数与 $ _ FILES ['userFile'] ['name'] 似乎相当多余。是不是？


解决方案

即使用$ _FILES ['userFile '] ['名字']似乎相当多余。是不是？

不，首先出于安全原因，@Gumbo在他的回答中描述了这个问题。其次，因为老版本的IE用来在客户端传递文件的完整路径，比如



  C：\Documents和Settings\Username\Desktop\Image_cropped.jpg 
  

该行为最近停止了IE8。从 通过发现的此MSDN博客条目 这个问题：
$ b

文件上传控制

此外，上载文件时包含本地目录路径对于Internet区域，URLAction已被设置为禁用。此更改可防止可能敏感的本地文件系统信息泄漏到Internet。例如，Internet Explorer 8现在只提交文件名image.png，而不是提交完整路径C：\ users \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\




According to the POST method uploads section of the PHP Manual, $_FILES['userfile']['name'] is the original name of the file on the client machine. Example #2 in that section uses the basename function with $_FILES['userfile']['name'] like the following:

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

I did some experiments on my local host (Apache 2.2.14, PHP 5.3.1, Windows XP) and found out that the following two lines are equivalent:

$_FILES['userFile']['name'];            // "file.txt"
basename($_FILES['userFile']['name']);  // "file.txt"

That is, using the basename function with $_FILES['userFile']['name'] seems rather redundant. Isn't it?

解决方案

That is, using the basename function with $_FILES['userFile']['name'] seems rather redundant. Isn't it?

No, first and foremost for security reasons as @Gumbo describes in his answer; secondly, because older versions of IE used to deliver the full path of the file on client side, like

C:\Documents and Settings\Username\Desktop\Image_cropped.jpg

that behaviour stopped as recently as IE8. From this MSDN blog entry discovered via this SO question:

File Upload control

Additionally, the "Include local directory path when uploading files" URLAction has been set to "Disable" for the Internet Zone. This change prevents leakage of potentially sensitive local file-system information to the Internet. For instance, rather than submitting the full path C:\users\ericlaw\documents\secret\image.png, Internet Explorer 8 will now submit only the filename image.png.

这篇关于不使用$ _FILES ['userFile'] ['name']的basename函数冗余？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！