本文介绍了如何清理 $_GET 变量以防止路径注入?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

清理 $_GET[''] 请求的最佳方法是什么?我想只允许从一个目录下载文件.

What is the best way to sanitize $_GET[''] request? I want to allow downloading files from one directory only.

$baseDir = "/home/html/xy.com/public_html/downloads/";
$path = realpath($baseDir . $_GET['file']);

下一步是什么?

推荐答案

以下是我在你的台词之后要做的事情:

Here's what I would do after the lines you have there:

if (dirname($path) === $baseDir) {
    //Safe
}

http://php.net/dirname

基本上,在发送任何文件之前检查文件实际上位于您支持的路径中.请注意,您还必须在文件名(在 $path 中)之前添加您自己的 / 并将其从您的 $baseDir 定义中删除,如dirname() 不会留下尾随路径分隔符.

Basically, do a check before sending anything that the file is actually in that one path you support. Note, you will also have to add your own / before the filename (in $path) and remove it from your $baseDir definition, as dirname() won't leave a trailing path separator.

这篇关于如何清理 $_GET 变量以防止路径注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-05 12:20