Home >Backend Development >PHP Tutorial >A brief discussion on vulnerabilities on the web, principle analysis, and prevention methods_PHP tutorial
1. Detect the file type and save it with the user’s file name
The code is as follows: if(isset($_FILES['img'])) { $file = save_file($_FILES['img']); if($file===false) exit('Failed to save!'); echo "Save successful!",$file; } function check_file($img) { ///Read file if($img['error']>0) return false; $tmpfile = $img['tmp_name']; $filename = $img['name']; ///Read file extension $len=strrpos($filename,"."); if($len===false) return false; //Get extension $ext = strtolower(substr($filename,$len+1)); if(!in_array($ext,array('jpg','jpeg','png'))) return false; return true; } function save_file($img) { if(!check_file($img)) return false; //Format detection ok, prepare to move data $filename = $img['name']; $newfile = "upload/" .$filename; if(!move_uploaded_file($img["tmp_name"],$newfile)) return false; return $newfile; } ?> The above code also determines the input type, and there is no problem after reading it. But the problem does appear precisely in the detection of the obtained user name variable. Get the incoming username directly and save it as a file. Some friends will say: These file names all exist in my computer, and the file name format is limited by the operating system's definition of file names. However, it should be noted that the variables obtained in $_FILES are directly from the http request request. It is the same as getting other get and post variables. Therefore, people with ulterior motives often simulate the browser themselves and send a special file name to the server. Then, when you save the file, you can save it in your own format normally. A few years ago, if "" was included in a string and saved as a file, the following content would be automatically truncated. For example: $filename is structured as: "a.php.jpg", let's think about it, what will it become? $newfile = “upload/a.php.jpg” Because, for extension verification, the characters following “.” on the far right are jpg, which is an allowed image format. But as soon as we save it with that file name. It is found that the disk will generate a.php under the upload directory, and all subsequent characters will be automatically truncated. This vulnerability is all the rage. At that time, almost most hosting websites had loopholes. For a while, many platforms closed their deposits. In fact, this is the fundamental reason. We got the file name and saved it as the final generated file name. A good way is to randomly generate the file name + read the extension yourself. This can prevent the input of special characters that are discarded or truncated when saving the file. This vulnerability can be exploited in the php4 era. In the php5 era, "" will be automatically filtered out of the generated variable file name value, so that no matter what special "" username the user constructs, it will be truncated. However, currently this type of vulnerability exists in asp, jsp and other sites. It still appears frequently. Older versions of php sites will also appear frequently.