在PHP 3 以后可以通过 is_uploaded_file() 函数来判断 $_FILES['userfile']['name'] 是否是通过http post方法上传的,从而可以在一定程序上降低风险!
实例如下:
<?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
echo "File ". $_FILES['userfile']['name'] ." uploaded successfully./n";
echo "Displaying contents/n";
readfile($_FILES['userfile']['tmp_name']);
} else {
echo "Possible file upload attack: ";
echo "filename '". $_FILES['userfile']['tmp_name'] . "'.";
}
?>
在PHP 3以前则可按以下方法来判断:
<?php
/* Userland test for uploaded file. */
function is_uploaded_file($filename)
{
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file .= '/' . basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
/* This is how to use it, since you also don't have
* move_uploaded_file() in these older versions: */
if (is_uploaded_file($HTTP_POST_FILES['userfile'])) {
copy($HTTP_POST_FILES['userfile'], "/place/to/put/uploaded/file");
} else {
echo "Possible file upload attack: filename '$HTTP_POST_FILES[userfile]'.";
}
?>
以上为我在PHP帮助文档中整理得到