Should I somehow protect my $_FILE user input?
I want to make my site hack-proof so this is why I do:
Text: m开发者_开发问答ysql_real_escape_string($myVar);
Number: (int)$myVar;
Should I use something similar to file array that is given by $myVar = $_FILE['myFile']; ?
sanitizing file names is very important.
There are also some issues that you might want to cover, for instance not all the allowed chars in Windows are allowed in *nix, and vice versa. A filename may also contain a relative path and could potentially overwrite other non-uploaded files.
This upload function taken from here
function Upload($source, $destination, $chmod = null)
{
$result = array();
$destination = self::Path($destination);
if ((is_dir($destination) === true) && (array_key_exists($source, $_FILES) === true))
{
if (count($_FILES[$source], COUNT_RECURSIVE) == 5)
{
foreach ($_FILES[$source] as $key => $value)
{
$_FILES[$source][$key] = array($value);
}
}
foreach (array_map('basename', $_FILES[$source]['name']) as $key => $value)
{
$result[$value] = false;
if ($_FILES[$source]['error'][$key] == UPLOAD_ERR_OK)
{
$file = ph()->Text->Slug($value, '_', '.');
if (file_exists($destination . $file) === true)
{
$file = substr_replace($file, '_' . md5_file($_FILES[$source]['tmp_name'][$key]), strrpos($value, '.'), 0);
}
if (move_uploaded_file($_FILES[$source]['tmp_name'][$key], $destination . $file) === true)
{
if (self::Chmod($destination . $file, $chmod) === true)
{
$result[$value] = $destination . $file;
}
}
}
}
}
return $result;
}
The important parts are:
1)make sure that the file doesn't contain any relative paths.
2)ph()->Text->Slug(), this makes sure only .0-9a-zA-Z are allowed in the filename, all the other chars are replaced by underscores (_)
3)md5_file(), this is added to the filename iff another file with the same name already exists
see how well its explained here
depends on use case. For example, if you save filename to DB, you should escape it as string. Also, you should protect from uploading and executing a PHP script.
加载中,请稍侯......
精彩评论