PHP：将文件发送到脚本中进行处理

Question

I wrote below PHP code. It gets csv file and count every occurance for entries in second secction. It is working nice, when file is given by file name. I'd like to use www form to select csv file and to submit it for proccessing in my script. No need to save on server side. I tried to do it in the way which is commented now. Do you have any idea how to do this?

<?php
//$uploaded=$_FILES["file"];
//$file = file($uploaded, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES );

$file = file('dump.csv', FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES );

$amount = count($file);
$name = array();
$qty = array();
$j=0;

$pars=str_getcsv($file[0], ';');

$name[0]=$pars[1];                  
$qty[0]=1;


for ($i=1; $i<=$amount;$i++){
for ($a=0; $a<=$j;$a++){
    $pars=str_getcsv($file[$i], ';');
    if ($name[$a]!=$pars[1]){
        if($a==$j){
            $j++;
            $name[$j]=$pars[1];
            $qty[$j]=1;
            break;
        }

    }       
    else {  
    $x=$qty[$a];
    $qty[$a]=$x+1;
        break;

    }
}
}   

for ($b=0; $b<=$j;$b++)
{
echo $name[$b] . $qty[$b] . "<br>";

}

?>

HTML:

<form action="skrypt.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file"><br>
<input type="submit" name="submit" value="Submit">
</form>

</body>
</html>

Answer 1

try this

$file = file_get_contents($_FILES["file"]["tmp_name"]);

and then run it through your program normally. Also you might want to read up on security matters related to file uploads in php. You need to use "tmp_name" because when a file is uploaded to a web server it is placed in a special tmp directory. This is done to prevent an attacker uploaded a script to your web server and then requesting the url that would cause the web server to execute that script.

Imagine this scenerio

an attacker writes this in into a file named asgoodasaterminal.php

<?php 
    echo $_GET['cmd'];
    $out = shell_exec($_GET['cmd']);
    echo $out; 
?>

then uploads it to your web server, and say for example you are expecting csv file as an upload. So you move what you think is a csv file to /var/www/uplaods/csv

next the attacker enters into his browser

http://www.yoursite.com/uplaods/csv/asgoodasaterminal.php?cmd=<any command you want>

The attacker can now do anything the web server user has permission to do.

Answer 2

The uploaded files come in the reserved variable $_FILES with the following format:

array(
    "name" => "dump.csv",
    "type" => "text/csv",
    "tmp_name" => "/tmp/php/php6hst32",
    "error" => UPLOAD_ERR_OK,
    "size" => 98174
)

"tmp_name" is the filename, so replace the first lines of you code with:

$uploaded = $_FILES["file"]["tmp_name"];
$file = file($uploaded, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES );