消息
创作中心
dongpouda6700 2014-04-28 06:17 采纳率: 100%
浏览 15
已采纳

如何避免在帖子数据中放置文件名?

I wrote the following code, and I am wondering if there is a better way to do what I want.

Basically, the code reads a few files and writes HTML forms to edit each of them. I am sending the file name via POST data, but it seems like a security risk to do that.

Is there a better or proper way to do what I'm doing?

Code:

<?php

    foreach (glob('*.html', GLOB_NOSORT) as $file) {
        echo '<form action="write.php">';
        echo '<textarea name="' . basename($file, '.html') . '" cols="80" rows="20">' . file_get_contents($file) . '</textarea>';
        echo '<input type="hidden" name="file" value="' . $file . '"><br><br>';
        echo '<input type="submit" value="Save Edit"><br><br>';
    }

?>
  • 写回答

2条回答 默认 最新

  • doujuan9698 2014-04-28 06:42
    关注

    Let's ignore for the moment that you're letting a user edit server side files. I'm just going to assume that you have sorted out all the authentication/authorization/injection issues and the only problem you have left is the file name.

    So, you don't want the user knowing/monkeying around with your file names. Instead of writing the name to the page, generate a long and random token that you associate with the file being edited. Then when the post comes back, look up the token and you know what file is being edited. If you get back a token you do not recognize, you can drop the request. From the HTML side, all that the user sees is an opaque token. The file name never leaves your server.

    Now that we have that out of the way, go back to paragraph one and make sure that you have all those boxes checked. There are potentially much worse problems than a file name here.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)
编辑
预览

报告相同问题?

手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

 客服 返回
顶部