1. Detect file type, and save with user's Save file name
The code is as follows: if (Isset ($_files[' img ')) {$file = Save_file ($_files[' img ')), if ($file ===false) exit (' Save failed! '); echo "Last saved success! ", $file;} function Check_file ($img) {///Read file if ($img [' Error ']>0) return false; $tmpfile = $img [' Tmp_name ']; $filename = $img [' Name ']; Read file extension $len=strrpos ($filename, "."); if ($len ===false) return false; Get extension $ext = Strtolower (substr ($filename, $len + 1)), if (!in_array ($ext, array (' jpg ', ' jpeg ', ' png ')) return false; return true;} function Save_file ($img) {if (!check_file ($IMG)) return false;//format detection OK, ready to move data $filename = $img [' name ']; $newfile = " upload/". $filename; if (!move_uploaded_file ($img [" Tmp_name "], $newfile) return false; return $newfile;}? > The above code, the input type also made a judgment, see no problem. The problem, however, is precisely the detection of the acquired username variable. Get the incoming user name directly and save it as a file. Some friends will say: These files are in my computer, the file name format is limited to the operating system on the file name definition. However, it is important to note that for $_files inside the get variable, is directly from the HTTP request requests. It is the same as the normal acquisition of other get,post variables. Therefore, people with ulterior motives tend to emulate their browsers and send a special file name to the server. Then, when the file is saved, it can be stored in its own format as usual. In previous years, "" in a string, saved as a file, will automatically truncate the later content. such as: $filename structure as: "A.php.jpg", we think, what will become? $newfile = "Upload/a.php.jpg" because, for the extended nameThe right "." The trailing character is JPG, which is allowed in the picture format. However, we will save it as a file name. The discovery disk generates a.php under the upload directory, and all subsequent characters are automatically truncated. The vulnerability, rage. At the time, almost all of the storage sites were vulnerable. On a temporary stage, many platforms closed up. In fact, the root cause is here. We got the file name and saved it as the final generated file name. The good way is to randomly generate the file name + read extension. This allows you to organize the input of special characters that are discarded or truncated when the file is saved. PHP4 ERA This vulnerability can be exploited, to the php5 era, the generated variable file name value, will automatically filter out "", so that no matter how the user constructs the special "" User name, will be truncated. However, at present this kind of loophole, at asp,jsp and so on site. There are also frequent occurrences. The old version of the PHP site will also appear frequently.
http://www.bkjia.com/PHPjc/372244.html www.bkjia.com true http://www.bkjia.com/PHPjc/372244.html techarticle 1. Detect the file type and save the code with the user's file name: if (isset ($_files[' img ')) {$file = Save_file ($_files[' img ')), if ($file ===false) exit ( ' Last saved failed! '); Ech ...
