PHP-为什么可以通过$ _File数组获取pathinfo
[英]PHP - why should I use pathinfo when I can get it through $_File array
问题描述
why should I use this code to get the name of the file? 
为什么要使用此代码来获取文件名?
$filename = pathinfo($_FILES['file']['name'], PATHINFO_FILENAME)
If I could also get the name through this code: 如果我也可以通过以下代码获得名称:
$filename = $_File['file']['name']
Thank you very much! 非常感谢你! I'm a beginner in PHP, so sorry if the question is too dumb :D 我是PHP的初学者,如果问题太傻了,请抱歉:D
1 个解决方案
解决方案1
0 已采纳 2018-08-18 23:33:36
Because $_File['file']['name'] comes from the user end, and although ordinarily it is just the file name, an ill-intentioned user can actually set it to whatever he wants (example: full path name to overwrite files in the server) and you have to filter it just like every other user input to prevent an attack vector in your system. 因为$_File['file']['name']来自用户端,尽管通常它只是文件名,但是恶意用户实际上可以将其设置为所需的名称(例如:要覆盖的完整路径名)服务器中的文件),您必须像其他所有用户输入一样对其进行过滤,以防止系统中出现攻击媒介。
Same is true for everything in $_FILE , don't trust the informed MIME type , don't save files without checking if the extension is safe (saving a .php file will be a disaster) etc. $_FILE所有内容也是如此,不要相信通知的MIME type ,不要在不检查扩展名是否安全的情况下保存文件(保存.php文件将是一场灾难)等。
For example, I've seen a system that would trust files of type equal to image/jpeg and other image types, and then saves it without checking the actual file extension. 例如,我见过一个系统,该系统将信任type等于image/jpeg和其他图像类型的文件,然后在不检查实际文件扩展名的情况下将其保存。 A forged request can inject a .php shell script to this website's upload folder and be used to take control. 伪造的请求可以向该网站的上载文件夹注入.php shell脚本,并用于控制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.