Sometimes, in addition to standard form data, you also need to have users upload files. Because files are transmitted in forms differently from other form data, you must specify a special encoding method multipart/form-data:
CODE:
The hidden form variable MAX_FILE_SIZE indicates the maximum file size that the browser can upload. Similar to many client restrictions, this restriction is easily bypassed by attackers, but it can provide a wizard for legal users. This restriction is reliable on the server.
In the configuration variables of PHP, upload_max_filesize controls the maximum size of files that can be uploaded. At the same time, post_max_size (the maximum size of submitted data in the POST form) can also be potentially controlled because files are uploaded through form data.
The receiving program upload. php displays the contents of the Super Global Array $ _ FILES:
CODE:
For the upload process, we use a file named author.txt for testing. The following is its content:
CODE:
Chris Shiflett #
When you upload the file to the upload. php program, you can see the output similar to the following in the browser:
CODE:
Array ( [attachment] => Array ( [name] => author.txt [type] => text/plain [tmp_name] => /tmp/phpShfltt [error] => 0 [size] => 36 ) )
Although we can see from the above that PHP actually provides content in the Super Global Array $ _ FILES, it cannot provide the original information of form data. As a security-oriented developer, it is necessary to identify the input to know what the browser actually sends. it is necessary to view the HTTP request information in the response:
CODE:
POST /upload.php HTTP/1.1 Host: example.org Content-Type: multipart/form-data;boundary=----------12345 Content-Length: 245 ----------12345 Content-Disposition: form-data; name="attachment";filename="author.txt" Content-Type: text/plain Chris Shiflett # ----------12345 Content-Disposition: form-data;name="MAX_FILE_SIZE" 1024 ----------12345--
Although you do not need to understand the request format, you must be able to identify files and related metadata. Users only provide names and types. Therefore, tmp_name, error, and size are provided by PHP.
Because PHP saves uploaded files in the temporary file area of the file system (in this example, it is/tmp/phpShfltt ), therefore, the common operation is to move it to other places for storage and read to the memory. If you do not check tmp_name to make sure it is an uploaded file (instead of something like/etc/passwd), there is a theoretical risk. This is a theoretical risk because there is no known attack method that allows attackers to modify the value of tmp_name. However, no attack means you do not need to take some simple security measures. New attack techniques appear every day, and a simple step can protect your system.
PHP provides two convenient functions to mitigate these theoretical risks: is_uploaded_file () andmove_uploaded_file (). If you need to ensure that the object in tmp_name is an uploaded object, you can use is_uploaded_file ():
CODE:
If you want to only move the uploaded file to a fixed position, you can use move_uploaded_file ():
CODE:
Finally, you can use filesize () to check the file size:
CODE:
These security measures aim to add an additional layer of security protection. The best way is to always trust as little as possible.
The above is the PHP Security-file Upload attack content. For more information, see PHP Chinese network (www.php1.cn )!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
