我有一个函数来检查文件是否通过jQuery这使得调用它,我将使用一个按钮,在我的索引页中点击更改特定的图像时,PHP脚本存在。
jQuery函数:
函数FILEEXISTS(路径){
$ .getJSON(/ AJAX / fileExists.php,{路径:路径},
功能(数据){
返回data.path;
});
}
fileExists.php:
$ PATH = $ _ SERVER ['DOCUMENT_ROOT']'/包'$ _ GET ['路径']。。
如果(file_exists($路径)){
回声json_en code(TRUE);
}其他{
回声json_en code(FALSE);
}
我很担心使用该脚本可以列出我的服务器或文件,我可能不希望他们知道,所以我已经使用DOCUMENT_ROOT和内容的人/包,以试图限制调用该目录,但我认为人们可以简单地使用../提供的路径中检查的替代品。
什么是使这一安全,最好限制到/包,以及是否有任何其他问题,我应该担心?最好的办法
编辑:在JavaScript / jQuery的一个例子电话:
如果(FILEEXISTS('/的index.php')){
警报('存在');
}其他{
警报(隐而不宣'T存在');
}
解决方案
这是我怎么过去处理它:
$ PATH =真实路径($ _ SERVER ['DOCUMENT_ROOT']'/包'$ _ GET ['路径']);
如果(strpos($路径,$ _ SERVER ['DOCUMENT_ROOT'])!== 0){
//它寻找到的文档根目录之外的路径
}
I have a function to check if a file exists via jQuery which makes a call to a PHP script which I'll use when changing certain images at the click of a button on my index page.
jQuery function:
function fileExists(path){
$.getJSON("/ajax/fileExists.php",{ path: path },
function (data){
return data.path;
});
}
fileExists.php:
$path=$_SERVER['DOCUMENT_ROOT'].'/packs'.$_GET['path'];
if(file_exists($path)){
echo json_encode(TRUE);
}else{
echo json_encode(FALSE);
}
I'm worried about people using this script to list the contents of my server or files which I may not want them to know about so I've used DOCUMENT_ROOT and /packs to try to limit calls to that directory but I think people can simply use ../ within the supplied path to check alternatives.
What is the best way to make this safe, ideally limit it to /packs, and are there any other concerns I should worry about?
Edit: an example call in javascript/jQuery:
if( fileExists('/index.php') ){
alert('Exists');
}else{
alert('Doesn't exist');
}
解决方案
This is how I've handled it in the past:
$path = realpath($_SERVER['DOCUMENT_ROOT'].'/packs'.$_GET['path']);
if (strpos($path, $_SERVER['DOCUMENT_ROOT']) !== 0) {
//It's looking to a path that is outside the document root
}
相关推荐
最新文章