Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/287.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php fwrite()和特殊字符_Php - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php fwrite()和特殊字符

Php fwrite()和特殊字符

php

Php fwrite()和特殊字符,php,Php,这是在我的网站上载“file.txt”的URL,其中包含“var$”内容: “fwrite.php”的内容是: 尝试编码 mb_convert_encoding($file, 'HTML-ENTITIES', "UTF-8"); 脆弱性警察 $myFile = $_GET['myFile']; $fh = fopen($myFile, 'w') 别动!这是危险代码;即使权限通常不允许造成太大的损坏,您至少应该清理变量(以免传递路径,如。/../../etc/passwd: if (isset

这是在我的网站上载“file.txt”的URL,其中包含“var$”内容:

“fwrite.php”的内容是:

尝试编码


mb_convert_encoding($file, 'HTML-ENTITIES', "UTF-8");



脆弱性警察


$myFile = $_GET['myFile'];
$fh = fopen($myFile, 'w')


别动!这是危险代码;即使权限通常不允许造成太大的损坏,您至少应该清理变量(以免传递路径,如
。/../../etc/passwd


if (isset($_GET['myFile'])) {
    $fileName = basename($_GET['myFile']); // strip off all paths
    $fh = fopen($fileName, 'w') or die('...');
}


编码
+

如果URL的QS部分中出现文字
+
,它将根据标准转换为空格

如果预期值为
hello+world
,则其编码必须如下所示:


stringData=hello%2Bworld



大家好,我已经用%2B代替“+”符号解决了这个问题

这对修复漏洞正确吗


<?php
if (isset($_GET['myFile'])) {
    $myFile = basename($_GET['myFile']);
    $fh = fopen($myFile, 'w') or die("can't open file");
}
$stringData = $_GET['stringData'];
fwrite($fh, $stringData);
fclose($fh);
?>





stringData=hello%2Bworld



<?php
if (isset($_GET['myFile'])) {
    $myFile = basename($_GET['myFile']);
    $fh = fopen($myFile, 'w') or die("can't open file");
}
$stringData = $_GET['stringData'];
fwrite($fh, $stringData);
fclose($fh);
?>