Detailed explanation of file_put_contents function in PHP

file_put_contents() function writes a string to a file. Recently, I discovered that the file_put_contents function has problems that I have never noticed, so the following article mainly introduces relevant information about the dangerous file_put_contents function in PHP. Friends in need can refer to it. Let’s take a look together.

Preface

Recently I encountered a file upload question on EIS and found that filtering < basically made many gestures invalid. , I haven’t solved this problem after thinking about it for a long time. It was only after the game that I found out that I could use an array to get around it. The principle is analyzed here. Without further ado, let’s take a look at the detailed introduction.

Let’s take a look at the official website definition of the second parameter data of the file_put_contents function:

data
要写入的数据。类型可以是 string，array 或者是 stream 资源（如上面所说的那样）。
 
如果 data 指定为 stream 资源，这里 stream 中所保存的缓存数据将被写入到指定文件中，这种用法就相似于使用 stream_copy_to_stream() 函数。
 
参数 data 可以是数组（但不能为多维数组），这就相当于 file_put_contents($filename, join('', $array))。

As you can see, data The parameter can be an array, which will be automatically join('',$array)converted into a string

When this function accesses the file, it follows the following rules:

• If FILE_USE_INCLUDE_PATH is set, then the built-in path for a copy of *filename* will be checked

• If the file does not exist, a file will be created

• Open the file

• If LOCK_EX is set, the file will be locked

• If set FILE_APPEND, then it will be moved to the end of the file. Otherwise, the contents of the file will be cleared

• Write data to the file

• Close the file and unlock all files

• If successful, this function returns the number of characters written to the file. On failure, False is returned.

But our string filtering function generally uses the preg_match function to filter, such as:

if(preg_match(&#39;/\</&#39;,$data)){
 die(&#39;hack&#39;);
}

We know that many functions that process strings will error and return NULL if an array is passed in, such as strcmp, strlen, md5, etc., but the preg_match function returns false when an error occurs. Here we can pass var_dump(preg_match('/ \</',$data)); To verify, in this case, the regular filtering of preg_match will be invalid

Therefore, I guess the file upload code is written like this

<?php 
 
if(isset($_POST[&#39;content&#39;]) && isset($_POST[&#39;ext&#39;])){
 $data = $_POST[&#39;content&#39;];
 $ext = $_POST[&#39;ext&#39;];
 
 //var_dump(preg_match(&#39;/\</&#39;,$data));
 if(preg_match(&#39;/\</&#39;,$data)){
  die(&#39;hack&#39;);
 }
 $filename = time();
 file_put_contents($filename.$ext, $data);
}
 
?>

So we can pass in content[]=<?php phpinfo();?>&ext=php This way To bypass

Fix method

The repair method is to use the fwrite function to replace the dangerous file_put_contents function. The fwrite function can only pass Enter a string. If it is an array, an error will occur and false will be returned.

<?php 
 
if(isset($_POST[&#39;content&#39;]) && isset($_POST[&#39;ext&#39;])){
 $data = $_POST[&#39;content&#39;];
 $ext = $_POST[&#39;ext&#39;];
 
 //var_dump(preg_match(&#39;/\</&#39;,$data));
 if(preg_match(&#39;/\</&#39;,$data)){
  die(&#39;hack&#39;);
 }
 $filename = time();
 // file_put_contents($filename.$ext, $data);
 $f = fopen($filename.$ext);
 var_dump(fwrite($f,$data));
}
 
?>

Related recommendations:

Detailed introduction and usage of file_put_contents function

How to use file_put_contents function in PHP

Detailed explanation of file_put_contents function in PHP

The above is the detailed content of Detailed explanation of file_put_contents function in PHP. For more information, please follow other related articles on the PHP Chinese website!