PHP-我应该清理$ _FILES [“文件名”] [“ tmp_name”]
[英]PHP - Should I sanitize $_FILES[“filename”][“tmp_name”]
问题描述
Before I call move_uploaded_file, should I do anything about this specific variable: 
在调用move_uploaded_file之前,应该对这个特定变量做任何事情:
$_FILES["filename"]["tmp_name"]
Thank you 谢谢
3 个解决方案
解决方案1
3 2010-08-28 15:06:15
No. That's generated and assigned by PHP, and will be useless/invalid the moment your script exits, as PHP will delete any uploaded files which you have not dealt with yet. 不行。它是由PHP生成和分配的,在脚本退出时将是无用的/无效的,因为PHP会删除您尚未处理的所有上传文件。 It'll be something like "/tmp/a34632rsfd234". 类似于“ / tmp / a34632rsfd234”。 There's no point in preserving its value. 保持其价值毫无意义。 However, $_FILES['filename']['name'] is the original filename of the file from the client's machine, and if you're preseving that, then you need to treat it as toxic waste and sanitize it. 但是, $_FILES['filename']['name']是客户端计算机中文件的原始文件名,如果您假设这样做,则需要将其视为有毒废物并进行消毒。
解决方案2
3 已采纳 2010-08-28 15:07:13
There's not much you can do with the variable itself, but you should test the file to ensure that it is of the type you were expecting—an image, for example. 您可以使用变量本身做很多事情,但是您应该测试文件以确保它属于您期望的类型,例如图像。 Never rely on the file extension for determining the file type. 切勿依靠文件扩展名来确定文件类型。 Don't, for example, assume that something with a .jpg extension is actually a JPEG file. 例如,不要假设扩展名为.jpg东西实际上是JPEG文件。
解决方案3
1 2010-08-28 15:06:37
否,因为其中的值将始终是文件系统的有效文件名(因为它指向磁盘上的文件)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.