How to use file_put_contents function in PHP

This time I will show you how to use the file_put_contents function in PHP. What are the precautions when using the file_put_contents function in PHP? Here are practical cases, let’s take a look.

Recently, I encountered a question on File Upload on EIS. I found that filtering < basically made many gestures invalid. I thought about it for a long time but didn’t solve this question. After the game, I found out that I was using arrays to solve the problem. However, the principle is analyzed here. Not much to say, let’s take a look at the detailed introduction.

Let’s take a look at the official website definition of the second parameter data of the file_put_contents function:

data
要写入的数据。类型可以是 string，array 或者是 stream 资源（如上面所说的那样）。
 
如果 data 指定为 stream 资源，这里 stream 中所保存的缓存数据将被写入到指定文件中，这种用法就相似于使用 stream_copy_to_stream() 函数。
 
参数 data 可以是数组（但不能为多维数组），这就相当于 file_put_contents($filename, join('', $array))。

As you can see, the data parameter can be an array, which will be automatically join('',$array)converted into a string

When this function accesses files, it follows the following rules:

• If FILE_USE_INCLUDE_PATH is set, then the built-in path for a copy of *filename* will be checked

• If the file does not exist, a file will be created

• Open the file

• If LOCK_EX is set, the file will be locked

• If FILE_APPEND is set, it will be moved to the end of the file. Otherwise, the contents of the file will be cleared

• Write data to the file

• Close the file and unlock all files

• If successful, this function returns the number of characters written to the file. On failure, False is returned.

But our string filtering function generally uses the preg_match function to filter, such as:

if(preg_match(&#39;/\</&#39;,$data)){
 die(&#39;hack&#39;);
}

We know that many functions that process strings will return NULL if an array is passed in, such as strcmp, strlen, md5, etc. But the preg_match function returns false if an error occurs. Here we can pass var_dump(preg_match('/</' ,$data)); To verify, in this case, the regular filtering of preg_match will be invalid

Therefore, I guess the file upload code is written like this

<?php 
 
if(isset($_POST[&#39;content&#39;]) && isset($_POST[&#39;ext&#39;])){
 $data = $_POST[&#39;content&#39;];
 $ext = $_POST[&#39;ext&#39;];
 
 //var_dump(preg_match(&#39;/\</&#39;,$data));
 if(preg_match(&#39;/\</&#39;,$data)){
  die(&#39;hack&#39;);
 }
 $filename = time();
 file_put_contents($filename.$ext, $data);
}
 
?></p>
<p style="text-align: left;">
So we can pass in <code>content[]=<?php phpinfo();?>&ext=php </code> to bypass </p>
<p style="text-align: left;">
<span style="color:#ff0000;"><strong>Repair method</strong></span></p>
<p style="text-align: left;">
The fix is ​​to use the fwrite function to replace the dangerous file_put_contents function. The fwrite function can only pass in strings. If it is an array, it will error and return false</p>
<pre class="brush:php;toolbar:false"><?php 
 
if(isset($_POST[&#39;content&#39;]) && isset($_POST[&#39;ext&#39;])){
 $data = $_POST[&#39;content&#39;];
 $ext = $_POST[&#39;ext&#39;];
 
 //var_dump(preg_match(&#39;/\</&#39;,$data));
 if(preg_match(&#39;/\</&#39;,$data)){
  die(&#39;hack&#39;);
 }
 $filename = time();
 // file_put_contents($filename.$ext, $data);
 $f = fopen($filename.$ext);
 var_dump(fwrite($f,$data));
}
 
?>

I believe you have mastered the method after reading the case in this article. More exciting Please pay attention to other related articles on php Chinese website!

Recommended reading:

The above is the detailed content of How to use file_put_contents function in PHP. For more information, please follow other related articles on the PHP Chinese website!