PHP Security-File upload attack

File Upload attack

Sometimes in addition to the standard form data, you also need to let users upload files. Since files are transferred in a form different from other form data, you must specify a special encoding method Multipart/form-data:

CODE:

<form action= "upload.php" method= "POST" enctype= "Multipart/form-data" >

A form that has both common form data and files is a special format, and the specified encoding allows the browser to handle this format as required.

The form elements that allow users to select files and upload them are simple:

CODE:

<input type= "file" name= "attachment"/>

This element has a different appearance in various browsers. Traditionally, the interface includes a standard text box and a browse button that allows the user to manually enter the path to the file or browse through the selection. Only the browse button is available in the Safari browser. Fortunately, their role is the same as the behavior.

To better demonstrate the file upload mechanism, here is an example that allows the user to upload an attachment:

CODE:

<form action= "upload.php" method= "POST" enctype= "Multipart/form-data" >  <p>please Choose a file to Upload:  <input type= "hidden" name= "max_file_size" value= "1024x768"/>  <input type= "FILE" Name= " Attachment "/><br/>  <input type=" Submit "value=" Upload attachment "/></p>  </form >

The hidden form variable max_file_size tells the browser the maximum allowable file size to upload. As with many client restrictions, this restriction is easily bypassed by an attacker, but it can provide wizards for legitimate users. It is reliable to make this restriction on the server.

In PHP configuration variables, upload_max_filesize controls the maximum file size allowed for uploading. At the same time post_max_size (the size of the maximum commit data for the post form) can also be potentially controlled because the file is uploaded through the form data.

The receiving program upload.php shows the contents of the Super Global array $_files:

CODE:

<?php   Header (' Content-type:text/plain ');  Print_r ($_files);   ? >

To understand the upload process, we tested it with a file called Author.txt, and here's what it says:

CODE:

  Chris Shiflett  http://www.php.cn/

When you upload the file to the upload.php program, you can see output similar to the following in your browser:

CODE:

Array  (      [attachment] = =          array              ([name] = Author.txt              [Type] = Text/plain              [tmp_name ] = =/TMP/PHPSHFLTT              [ERROR] = 0              [Size] = +          )   )

Although it can be seen from above that PHP actually provides the content in the Super Global array $_files, it cannot give the original information of the form data. As a security-focused developer, it is necessary to identify the input to know what the browser actually sent, and it is important to look at the following HTTP request information:

CODE:

post/upload.php http/1.1  Host:example.org  content-type:multipart/form-data;boundary=----------12345  content-length:245   ----------12345  content-disposition:form-data; name= "attachment"; Filename= " Author.txt "  content-type:text/plain   Chris shiflett  http://www.php.cn/   ----------12345  Content-disposition:form-data;name= "max_file_size"   1024x768  ----------12345--

Although you do not need to understand the format of the request, you need to be able to identify the file and the associated meta-data. The user provides only the name and type, so tmp_name,error and size are provided by PHP.

Since PHP saves the uploaded file in the file system's temporary file area (in this case,/TMP/PHPSHFLTT), the usual action is to move it somewhere else to save and read to memory. If you do not check the tmp_name to make sure it is an uploaded file (rather than something like/etc/passwd), there is a theoretical risk. The theoretical risk is called because there is no known attack that allows an attacker to modify the value of the tmp_name. However, having no means of attack does not mean that you do not need to do some simple security measures. New attack methods appear every day, and a simple step can protect your system.

PHP provides two convenient functions to mitigate these theoretical risks: Is_uploaded_file () Andmove_uploaded_file (). If you need to make sure that the file in Tmp_name is an uploaded file, you can use Is_uploaded_file ():

CODE:

<?php   $filename = $_files[' attachment ' [' tmp_name '];   if (Is_uploaded_file ($filename))  {/    * $_files[' attachment ' [' tmp_name '] is anuploaded file. */  }   ? >

If you want to move only the uploaded files to a fixed location, you can use Move_uploaded_file ():

CODE:

<?php   $old _filename =$_files[' attachment ' [' tmp_name '];  $new _filename = '/path/to/attachment.txt ';   if (Move_uploaded_file ($old _filename, $new _filename))  {/    * $old _filename is a uploaded file, and Themove was Successful. */  }   ?>

Finally you can use FileSize () to verify the size of the file:

CODE:

<?php   $filename = $_files[' attachment ' [' tmp_name '];   if (Is_uploaded_file ($filename))  {    $size = filesize ($filename);  }   ? >

The purpose of these security measures is to add an additional layer of safety protection. The best way is to always trust as little as possible.

The above is the PHP security-File Upload attack content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

