dongpouda6700 2014-04-28 14:17 采纳率: 100%
浏览 15
已采纳

如何避免在帖子数据中放置文件名?

I wrote the following code, and I am wondering if there is a better way to do what I want.

Basically, the code reads a few files and writes HTML forms to edit each of them. I am sending the file name via POST data, but it seems like a security risk to do that.

Is there a better or proper way to do what I'm doing?

Code:

<?php

    foreach (glob('*.html', GLOB_NOSORT) as $file) {
        echo '<form action="write.php">';
        echo '<textarea name="' . basename($file, '.html') . '" cols="80" rows="20">' . file_get_contents($file) . '</textarea>';
        echo '<input type="hidden" name="file" value="' . $file . '"><br><br>';
        echo '<input type="submit" value="Save Edit"><br><br>';
    }

?>
  • 写回答

2条回答 默认 最新

  • doujuan9698 2014-04-28 14:42
    关注

    Let's ignore for the moment that you're letting a user edit server side files. I'm just going to assume that you have sorted out all the authentication/authorization/injection issues and the only problem you have left is the file name.

    So, you don't want the user knowing/monkeying around with your file names. Instead of writing the name to the page, generate a long and random token that you associate with the file being edited. Then when the post comes back, look up the token and you know what file is being edited. If you get back a token you do not recognize, you can drop the request. From the HTML side, all that the user sees is an opaque token. The file name never leaves your server.

    Now that we have that out of the way, go back to paragraph one and make sure that you have all those boxes checked. There are potentially much worse problems than a file name here.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 数学建模,尽量用matlab回答,论文格式
  • ¥15 昨天挂载了一下u盘,然后拔了
  • ¥30 win from 窗口最大最小化,控件放大缩小,闪烁问题
  • ¥20 易康econgnition精度验证
  • ¥15 msix packaging tool打包问题
  • ¥28 微信小程序开发页面布局没问题,真机调试的时候页面布局就乱了
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能