本文介绍了如何清理 $_GET 变量以防止路径注入?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
清理 $_GET['']
请求的最佳方法是什么?我想只允许从一个目录下载文件.
What is the best way to sanitize $_GET['']
request? I want to allow downloading files from one directory only.
$baseDir = "/home/html/xy.com/public_html/downloads/";
$path = realpath($baseDir . $_GET['file']);
下一步是什么?
推荐答案
以下是我在你的台词之后要做的事情:
Here's what I would do after the lines you have there:
if (dirname($path) === $baseDir) {
//Safe
}
基本上,在发送任何文件之前检查文件实际上位于您支持的路径中.请注意,您还必须在文件名(在 $path
中)之前添加您自己的 /
并将其从您的 $baseDir
定义中删除,如dirname()
不会留下尾随路径分隔符.
Basically, do a check before sending anything that the file is actually in that one path you support. Note, you will also have to add your own /
before the filename (in $path
) and remove it from your $baseDir
definition, as dirname()
won't leave a trailing path separator.
这篇关于如何清理 $_GET 变量以防止路径注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!