doushi9444 2015-11-16 01:20
浏览 70
已采纳

当使用$ _POST属性文件名时,如何告诉PHP将文件保存在特定文件夹中?

I'm having some trouble getting my script to save a file in a particular folder, normally the syntax would call for quotes around the entire path but because I'm using $_POST to name the file it just doesn't work out that way. So far this is what I have.

<?php ini_set('display_errors','on'); ?><?php

$fileName= fopen("Submissions/".$_POST['first_name'],'w');
$data= "";

foreach ($_POST as $key => $value) {
$data.= str_replace("_"," ",$key).":

 ". $value."



"; preg_replace("/[^ 0-9a-zA-Z]/", "_", $value);
}

fwrite($fileName, $data);
fclose($fileName);


?>
  • 写回答

1条回答 默认 最新

  • doubeijian2257 2015-11-16 02:04
    关注

    You have several problems. First, you have syntax errors. Second, you have serious security vulnerabilities.

    Let's start with the first syntax errors. This line:

    $fileName= fopen(Submissions/$_POST['first_name'],'w');
    

    Is invalid. You want to use string concatenation, like this:

    $fileName= fopen("Submissions/" . $_POST['first_name'],'w');
    

    But that's a huge security vulnerability. If $_POST['first_name'] is something bad like ../../../etc/passwd, you could be in for a world of hurt.

    Then there's this:

    fwrite(Submissions/$fileName, $data);
    

    That's invalid syntax (again, string concatenation) and, again, insecure. It's also just wrong. You need a file resource, not a path name, as the first parameter.

    In both of these places, you must validate the data before using it this way. Otherwise, expect to get hacked repeatedly.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Opencv配置出错
  • ¥15 模电中二极管,三极管和电容的应用
  • ¥15 关于模型导入UNITY的.FBX: Check external application preferences.警告。
  • ¥15 气象网格数据与卫星轨道数据如何匹配
  • ¥100 java ee ssm项目 悬赏,感兴趣直接联系我
  • ¥15 微软账户问题不小心注销了好像
  • ¥15 x264库中预测模式字IPM、运动向量差MVD、量化后的DCT系数的位置
  • ¥15 curl 命令调用正常,程序调用报 java.net.ConnectException: connection refused
  • ¥20 关于web前端如何播放二次加密m3u8视频的问题
  • ¥15 使用百度地图api 位置函数报错?