Detailed explanation of usage tips of PHP uploaded_files function_PHP tutorial

Yes

In earlier PHP versions, uploading files was most likely achieved through the following code:

1. …… tmp_name
2. = $_FILES['file']['tmp_name'];
3. } if (file_exists($tmp_name)) {
copy($tmp_name,$destfile);
}
......
But it is very likely that a $_FILES['file'] array will be forged, if the content of tmp_name will be specified as / etc/passwd and other sensitive information, security issues may easily arise. PHP solved this problem in later versions using is_uploaded_file() and move_uploaded_file(). Using the PHP uploaded_files function will not only check whether $_FILES['file'] ['tmp_name'] exists, but also check $_FILES['file' ]['tmp_name'] is an uploaded file, which makes it impossible to forge the $_FILES variable, because the script will terminate execution when it checks that $_FILES['file']['tmp_name'] is not a PHP upload.
7. Has counterfeiting become impossible? In many scripts, I see operations such as @extract($_POST) in the initialization part to ensure that the program can continue to run in an environment where register globals is off. In such an environment, we can easily forge $_FILES. Array, even overwrite the original $_FILES array, but it is still very difficult to completely fake a $_FILES array, because you cannot spare is_uploaded_file() and move_uploaded_file().
But when testing in the PHP environment under Windows, we found that PHP's temporary files are very regular, in the format of C:WINDOWS TEMPPHP93.tmp. When uploaded, the file name will be C:WINDOWSTEMPPHPXXXXXX.tmp In this format change, XXXXXX is a hexadecimal number and increases in order. That is to say, if the temporary file name uploaded this time is C:WINDOWSTEMPPHP93.tmp, then it will be C:WINDOWSTEMPPHP94 next time. tmp, temporary file names become regular.
8. But we may not know what the current file name is. This can be leaked through PHP's own error mechanism. For example, we copy the temporary file to a directory without permission or include a file system prohibition in the target file. Characters can reveal the current temporary file name, of course, provided there is no error suppression processing.
So how to spare is_uploaded_file() and move_uploaded_file()? Look at the code in the PHP uploaded_files function part:

It looks up from the current rfc1867_uploaded_files hash table to see if the current file name exists. Among them, rfc1867_uploaded_files saves the variables and content related to file upload generated by the system and PHP during the current PHP script running process. If it exists, it means that the specified file name is indeed uploaded this time, otherwise it is not.

A very strange feature of PHP is that when you submit an upload form, the file has been uploaded to the temporary directory before PHP processes it, and will not be destroyed until the PHP script ends. Lose. In other words, even if you submit such a form to a PHP script that does not accept the $_FILSE variable, the $_FILSE variable will still be generated and the file will still be uploaded to the temporary directory first. A problem arises. The following script may illustrate this problem:

where C:WINDOWSTEMPPHP95.tmp is the name of the temporary file I guessed. At that time, when testing this script, we needed to upload one file or 100 files to it. file so that one of the temporary files is named C:WINDOWSTEMPPHP95.tmp. If the script has an extract operation at this moment, we can easily forge a $_FILES variable.

Isn’t it? You may want to ask what the role of forging the $_FILES variable is. We can generate file names that are not allowed by the original program. When PHP processes the upload, it will perform an operation similar to basename() on the original file name, but once it can be forged After that, we can easily add ah../ah, etc. anything you like in the file name

<ol class="dp-xml">
<li class="alt">PHP<span>_FUNCTION(is_uploaded_file)  </span>
</li>
<li><span>{  </span></li>
<li class="alt"><span>zval **path;  </span></li>
<li><span>if (!SG(rfc1867_uploaded_files)) {  </span></li>
<li class="alt"><span>RETURN_FALSE;  </span></li>
<li><span>}  </span></li>
<li class="alt"><span>if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &path) != SUCCESS) {  </span></li>
<li><span>ZEND_WRONG_PARAM_COUNT();  </span></li>
<li class="alt"><span>}  </span></li>
<li><span>convert_to_string_ex(path);  </span></li>
<li class="alt"><span>if (zend_hash_exists(SG(rfc1867_uploaded_files), Z_STRVAL_PP(path), Z_STRLEN_PP(path)+1)) {  </span></li>
<li><span>RETURN_TRUE;  </span></li>
<li class="alt"><span>} else {  </span></li>
<li><span>RETURN_FALSE;  </span></li>
<li class="alt"><span>}  </span></li>
<li><span>} </span></li>
</ol>

The actual use of the PHP uploaded_files function may be a bit harsh, but it is finally a flaw in PHP. hehe.

<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?  </span></span></li><li><span>$</span><span class="attribute">a</span><span>=$_FILES['attach']['tmp_name'];  </span></li><li class="alt"><span>echo $a.&rdquo;&hellip;&hellip;&hellip;&hellip;.&rdquo;;  </span></li><li><span>$</span><span class="attribute">file</span><span>=&rsquo;C:\WINDOWS\TEMP\</span>PHP<span>95.tmp&rsquo;;  </span></li><li class="alt"><span>echo $file;  </span></li><li><span>if(is_uploaded_file($file)) echo &lsquo;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;Yes&rsquo;;  </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>

http://www.bkjia.com/PHPjc/446081.html

www.bkjia.com

true

http: //www.bkjia.com/PHPjc/446081.html

TechArticle

Yes, in earlier PHP versions, uploading files is likely to be achieved through the following code: if(isset( $_FILES['file'])){ $ tmp_name =$_FILES['file']['tmp_name']; } if(file_exists($tmp_...