问题描述

您好，我希望使我的小程序安全，以便潜在的恶意用户无法查看服务器上的敏感文件.

Greetings,I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server.

    $path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}";


    if(file_exists($path)) {
        echo file_get_contents($path);
    } else {
        header('HTTP/1.1 404 Not Found');
    }

我知道像../../../../../../etc/passwd"这样的输入会很麻烦，但想知道我应该做哪些其他恶意输入期望以及如何防止它们.

Off the top of my head I know that input such as '../../../../../../etc/passwd' would be trouble, but wondering what other malcious inputs I should expect and how to prevent them.

推荐答案

realpath() 将让您将任何可能包含相对信息的路径转换为绝对路径...然后您可以确保该路径位于您希望允许下载的某个子目录下.

realpath() will let you convert any path that may contain relative information into an absolute path...you can then ensure that path is under a certain subdirectory that you want to allow downloads from.

这篇关于在 PHP 中清理文件路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！