In windows, how does the uploaded_file function get rid of disadvantages?

Source: Internet
Author: User
In earlier PHP versions, the following code may be used to upload files :...... if (isset ($ _ FILES ['file']) {$ tmp_name = $ _ FILES ['file'] ['tmp _ name'];} if (file_exists ($ tmp_name) {copy ($ tmp_name, $ des

In earlier PHP versions, file uploading may be implemented through the following code:

If (isset ($ _ FILES ['file']) {
$ Tmp_name = $ _ FILES ['file'] ['tmp _ name'];
If (file_exists ($ tmp_name )){
Copy ($ tmp_name, $ destfile );

However, an array of $ _ FILES ['file'] may be fabricated. if the content of tmp_name is specified as/etc/passwd and other sensitive information, the security Title is easily displayed. In later versions, PHP solved the title with is_uploaded_file () and move_uploaded_file (), and used is_uploaded_file () not only does it check whether $ _ FILES ['file'] ['tmp _ name'] exists, in addition, the system checks whether $ _ FILES ['file'] ['tmp _ name'] is an uploaded file, which makes it impossible to fabricate the $ _ FILES variable, because the script will terminate the performance when checking that $ _ FILES ['file'] ['tmp _ name'] is not uploaded by PHP.
Is fabricated impossible? In many scripts, I can see that some of the first trials have @ extract ($ _ POST) and other controls to ensure that the program can run continuously in the environment where register globals is off, in this environment, we can easily fabricate the $ _ FILES array and even overwrite the original $ _ FILES array. However, it is still very difficult to create a complete $ _ FILES array, because you cannot review is_uploaded_file () and move_uploaded_file (). However, during testing in the php environment in windows, we found that the temporary file of php is quite regular, which is a pattern of C: \ WINDOWS \ TEMP \ php93.tmp, the file name will be C: \ WINDOWS \ TEMP \ phpXXXXXX during the upload. the tmp pattern is changed. XXXXXX is a hexadecimal number and increases in order. that is to say, if the temporary file name uploaded this time is C: \ WINDOWS \ TEMP \ php93.tmp, next time, it will be C: \ WINDOWS \ TEMP \ php94.tmp, and the temporary file name will become regular. However, we may not know what the current file name is, which can be leaked through the php error mechanism, for example, if we copy a temporary file to an unauthorized directory or contain characters prohibited by the file system in the target file, the current temporary file name can be leaked, of course, the condition is that there is no error restraint.
So how can I get rid of is_uploaded_file () and move_uploaded_file? Look at the code in the is_uploaded_file () section of php:

PHP_FUNCTION (is_uploaded_file)
Zval ** path;
If (! SG (rfc1867_uploaded_files )){
If (ZEND_NUM_ARGS ()! = 1 | zend_get_parameters_ex (1, & path )! = SUCCESS ){
Convert_to_string_ex (path );
If (zend_hash_exists (SG (rfc1867_uploaded_files), Z_STRVAL_PP (path), Z_STRLEN_PP (path) 1 )){
} Else {

It is used to check whether the current file name exists from the rfc1867_uploaded_files hash table. Rfc1867_uploaded_files retains the variables and content related to file Upload generated by the system and php during the current php script running. If yes, it indicates that the specified file name is indeed uploaded this time; otherwise, it indicates no.
Php has a strange feature: When you submit an upload form, php will upload the file to the temporary directory before processing it, it will not be burned out until the php script stops running. That is to say, even if you submit such a form to a php script that does not receive the $ _ FILSE variable, the $ _ FILSE variable will still be generated and the file will be uploaded to the temporary directory first. The title is generated. The following script may clarify the title:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.