Detailed explanation of how to use the uploaded_files function in PHP_PHP tutorial

Friends who know something about the PHP language know that it contains a powerful function library. Let's take a look at the specific functions of the PHP uploaded_files function today.
In earlier PHP versions, uploading files was most likely achieved through the following code:

Copy code The code is as follows:

......
if (isset($_FILES['file'])) {
$tmp_name = $_FILES['file']['tmp_name'];
}
if (file_exists($tmp_name)) {
copy($tmp_name,$destfile);
}
……

But it is likely to be forged as a $_FILES['file '] array, if the content of tmp_name is specified as the content of sensitive information such as /etc/passwd, then security problems may easily occur. PHP solved this problem in later versions using is_uploaded_file() and move_uploaded_file(). Using the PHP uploaded_files function will not only check whether $_FILES['file'] ['tmp_name'] exists, but also check $_FILES['file' ]['tmp_name'] is an uploaded file, which makes it impossible to forge the $_FILES variable, because the script will terminate execution when it checks that $_FILES['file']['tmp_name'] is not a PHP upload.
Has counterfeiting become impossible? In many scripts, I see that there are operations such as @extract($_POST) in the initialization part to ensure that the program can continue to run in an environment where register globals is off. In such an environment, we can easily forge $_FILES Array, even overwrite the original $_FILES array, but it is still very difficult to completely fake a $_FILES array, because you cannot spare is_uploaded_file() and move_uploaded_file().
But when testing in the PHP environment under Windows, we found that PHP's temporary files are very regular, in the format of C:WINDOWS TEMPPHP93.tmp. When uploading, the file name will be in the format of C:WINDOWSTEMPPHPXXXXXX.tmp. Changes, where XXXXXX is a hexadecimal number and increases in order. That is to say, if the temporary file name uploaded this time is C:WINDOWSTEMPPHP93.tmp, then it will be C:WINDOWSTEMPPHP94.tmp next time. Temporary File names become regular.
But we may not know what the current file name is. This can be leaked through PHP's own error mechanism. For example, if we copy the temporary file to a directory without permission or the target file contains characters prohibited by the file system, The current temporary file name can be leaked, provided of course that there is no error suppression processing.
So how to spare is_uploaded_file() and move_uploaded_file()? Take a look at the code in the PHP uploaded_files function part:

Copy the code The code is as follows:

PHP_FUNCTION(is_uploaded_file)
{
zval **path;
if (!SG(rfc1867_uploaded_files)) {
RETURN_FALSE;
}
if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &path) != SUCCESS ) {
ZEND_WRONG_PARAM_COUNT();
}
convert_to_string_ex(path);
if (zend_hash_exists(SG(rfc1867_uploaded_files), Z_STRVAL_PP(path), Z_STRLEN_PP(path)+1)) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}

It looks from the current rfc1867_uploaded_files hash table to see if the current file name exists. Among them, rfc1867_uploaded_files saves the variables and content related to file upload generated by the system and PHP during the current PHP script running process. If it exists, it means that the specified file name is indeed uploaded this time, otherwise it is not.
A very strange feature of PHP is that when you submit an upload form, the file has been uploaded to the temporary directory before PHP processes it, and will not be destroyed until the PHP script ends. In other words, even if you submit such a form to a PHP script that does not accept the $_FILSE variable, the $_FILSE variable will still be generated and the file will still be uploaded to the temporary directory first. A problem arises. The following script may illustrate this problem:

Copy code The code is as follows:

< ?
$a= $_FILES['attach']['tmp_name'];
echo $a."………….";
$file='C:\WINDOWS\TEMP\PHP95.tmp';
echo $file;
if(is_uploaded_file($file)) echo '………………Yes';
?>

C:\WINDOWS\TEMP\PHP95.tmp is the name of the temporary file I guessed. At that time, when testing this script, we needed to upload a file or 100 files to it, so that one of the temporary files was named C :\WINDOWS\TEMP\PHP95.tmp. If the script has an extract operation at this moment, we can easily forge a $_FILES variable.
Isn’t it? You may want to ask what the role of forging the $_FILES variable is. We can generate file names that are not allowed by the original program. When PHP processes the upload, it will perform an operation similar to basename() on the original file name, but once it can be forged After that, we can easily add ah../ah, etc. to the file name, whatever you like
The actual use of the PHP uploaded_files function may be a bit harsh, but it is finally a flaw in PHP, haha.

http://www.bkjia.com/PHPjc/323080.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/323080.htmlTechArticleFriends who have some knowledge of the PHP language know that it contains a powerful function library. Let's take a look at the specific functions of the PHP uploaded_files function today. In the early PHP version...