The file system is very important for any website, and programmers are sparing no effort to protect their systems from infringement. Today we will explain to you the specific code examples of protecting the file system with PHP. There was once a Web site that leaked customer data stored in files on the Web server. A visitor to the Web site used the URL to view a file containing data. Although the file was misplaced, this example highlights the importance of protecting the file system from attackers.
<ol class="dp-xml">
<li class="alt">
<span><strong><font color="#006699"><span class="tag"><?</SPAN><SPAN class=tag-name>php</SPAN></FONT></STRONG><SPAN> </SPAN></SPAN><LI class=""><SPAN>if ($_POST['submit'] == 'Download') { </SPAN><LI class=alt><SPAN> $</SPAN><SPAN class=attribute><FONT color=#ff0000>file</FONT></SPAN><SPAN> = $_POST['fileName']; </SPAN></SPAN><LI class=""><SPAN> header("Content-Type: application/x-octet-stream"); </SPAN><LI class=alt><SPAN> header("Content-Transfer-Encoding: binary"); </SPAN><LI class=""><SPAN> header("Content-Disposition: attachment; </SPAN><SPAN class=attribute><FONT color=#ff0000>filename</FONT></SPAN><SPAN>="" . $file . "";" ); </SPAN></SPAN><LI class=alt><SPAN> $</SPAN><SPAN class=attribute><FONT color=#ff0000>fh</FONT></SPAN><SPAN> = </SPAN><SPAN class=attribute-value><FONT color=#0000ff>fopen</FONT></SPAN><SPAN>($file, 'r'); </SPAN></SPAN><LI class=""><SPAN> while (! feof($fh)) </SPAN><LI class=alt><SPAN> { </SPAN><LI class=""><SPAN> echo(fread($fh, 1024)); </SPAN><LI class=alt><SPAN> } </SPAN><LI class=""><SPAN> fclose($fh); </SPAN><LI class=alt><SPAN>} else { </SPAN><LI class=""><SPAN> echo("</SPAN><STRONG><FONT color=#006699><SPAN class=tag><</SPAN><SPAN class=tag-name>html</SPAN><SPAN class=tag>></span><span class="tag"><</SPAN><SPAN class=tag-name>head</SPAN><SPAN class=tag>></span><span class="tag"><</SPAN></FONT></STRONG><SPAN>"); </SPAN></SPAN><LI class=alt><SPAN> echo("title</SPAN><SPAN class=tag><STRONG><FONT color=#006699>></span></font></strong></span><span>Guard your filesystem</span><strong><font color="#006699"><span class="tag"></</SPAN><SPAN class=tag-name>title</SPAN><SPAN class=tag>></span><span class="tag"></</SPAN><SPAN class=tag-name>head</SPAN><SPAN class=tag>></span></font></strong><span>"); </span>
</li>
<li class="">
<span> echo("</span><strong><font color="#006699"><span class="tag"><</SPAN><SPAN class=tag-name>body</SPAN><SPAN class=tag>></span><span class="tag"><</SPAN><SPAN class=tag-name>form</SPAN></FONT></STRONG><SPAN> </SPAN><SPAN class=attribute><FONT color=#ff0000>id</FONT></SPAN><SPAN>="myFrom" </SPAN><SPAN class=attribute><FONT color=#ff0000>action</FONT></SPAN><SPAN>="" . $_SERVER['PHP_SELF'] . </SPAN></SPAN><LI class=alt><SPAN> "" </SPAN><SPAN class=attribute><FONT color=#ff0000>method</FONT></SPAN><SPAN>="post"</SPAN><SPAN class=tag><STRONG><FONT color=#006699>></span></font></strong><span>"); </span>
</li>
<li class="">
<span> echo("</span><strong><font color="#006699"><span class="tag"><</SPAN><SPAN class=tag-name>div</SPAN><SPAN class=tag>></span><span class="tag"><</SPAN><SPAN class=tag-name>input</SPAN></FONT></STRONG><SPAN> </SPAN><SPAN class=attribute><FONT color=#ff0000>type</FONT></SPAN><SPAN>="text" </SPAN><SPAN class=attribute><FONT color=#ff0000>name</FONT></SPAN><SPAN>="fileName" </SPAN><SPAN class=attribute><FONT color=#ff0000>value</FONT></SPAN><SPAN>=""); </SPAN></SPAN><LI class=alt><SPAN> echo(isset($_REQUEST['fileName']) ? $_REQUEST['fileName'] : ''); </SPAN><LI class=""><SPAN> echo("" </SPAN><SPAN class=tag><STRONG><FONT color=#006699>/></span></font></strong><span>"); </span>
</li>
<li class="alt">
<span> echo("</span><strong><font color="#006699"><span class="tag"><</SPAN><SPAN class=tag-name>input</SPAN></FONT></STRONG><SPAN> </SPAN><SPAN class=attribute><FONT color=#ff0000>type</FONT></SPAN><SPAN>="submit" </SPAN><SPAN class=attribute><FONT color=#ff0000>value</FONT></SPAN><SPAN>="Download" </SPAN><SPAN class=attribute><FONT color=#ff0000>name</FONT></SPAN><SPAN>="submit" </SPAN><STRONG><FONT color=#006699><SPAN class=tag>/></span><span class="tag"></</SPAN><SPAN class=tag-name>div</SPAN><SPAN class=tag>></span></font></strong><span>"); </span>
</li>
<li class="">
<span> echo("</span><strong><font color="#006699"><span class="tag"></</SPAN><SPAN class=tag-name>form</SPAN><SPAN class=tag>></span><span class="tag"></</SPAN><SPAN class=tag-name>body</SPAN><SPAN class=tag>></span><span class="tag"></</SPAN><SPAN class=tag-name>html</SPAN><SPAN class=tag>></span></font></strong><span>"); </span>
</li>
<li class="alt"><span>} </span></li>
</ol>As you can see, the more dangerous script in Listing 1 will Processes all files that the web server has read access to, including files in the session directory (see "Securing session data") and even some system files (such as /etc/passwd). For the PHP protected file system demonstration, this example uses a text box where the user can type the file name, but the file name can easily be provided in the query string.
Configuring user input and file system access at the same time is dangerous, so it is best to design your application to use a database and hide generated filenames to avoid simultaneous configuration. However, this doesn't always work. Listing 2 provides a sample routine for validating file names. It will use regular expressions to ensure that only valid characters are used in file names, and specifically checks for dot characters: ..
<ol class="dp-xml">
<li class="alt"><span><span>function isValidFileName($file) { </span></span></li>
<li class=""><span> /* don't allow .. and allow any "word" character / */ </span></li>
<li class="alt"><span> return preg_match('/^(((?:.)(?!.))|w)+$/', $file); </span></li>
<li class=""><span>} </span></li>
</ol>The above is what this article shares with you Specific code written for PHP protected file systems.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
