1
當我嘗試上傳出現以下錯誤的圖像:如果出於安全原因禁用了system()時如何複製文件?
錯誤消息: 警告:系統()已經爲H中安全原因被禁用:\ ROOT \家庭\文件夾-001 \ WWW \ MYSITE \廣告\功能\ func_add.php
我的代碼:
<?
if(1>2){
?>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<?
}
?>
<?
function ImageNameCorrection($str){
$myCheck = array(" ","ç", "Ç", "İ","i","Ş","ş","Ö","ö","Ü","ü","Ğ","ğ");
$myReplace = array("","c", "C", "I","i","S","s","O","o","U","u","G","g");
$newStr = str_replace($myCheck, $myReplace, $str);
return $newStr;
}
function Db_Add_Main($TbID){
include "general/gen_tb_str.php";
include "database/dbconnection.php";
include_once "function/func_general.php";
$sql_Text = "insert into $TableName[$TbID] (";
for($FiledCount=1;$FiledCount<count($TableField[$TbID]);$FiledCount++){
$sql_Text = $sql_Text.$TableField[$TbID][$FiledCount];
if($FiledCount+1<>count($TableField[$TbID])){
$sql_Text = $sql_Text.', ';
}
}
$sql_Text = $sql_Text.') values(';
for($FiledCount=1;$FiledCount<count($TableField[$TbID]);$FiledCount++){
$CrSql_Text_Addition = Str_Correction($_POST[$TableField[$TbID][$FiledCount]]);
$sql_Text = $sql_Text."'".$CrSql_Text_Addition."'";
if($FiledCount+1<>count($TableField[$TbID])){
$sql_Text = $sql_Text.', ';
}
}
$sql_Text = $sql_Text.")";
//echo $sql_Text;
if($sql_Quary = mysql_db_query($db, $sql_Text, $baglanti)){
return true;
}else{
return false;
}
}
function Db_Add_Image_File($i){
include "database/dbconnection.php";
include "common.php";
$Return_Text = "";
$MyDate = date("Y-m-d");
$_FILES['imagefile'.$i]['name']=Str_Correction_Tr($_FILES['imagefile'.$i]['name']);
$_FILES['imagefile'.$i]['name']=Str_Correction_Space($_FILES['imagefile'.$i]['name'],"");
$upfile="/www/hostings/konline/MYSITEFTP/MYSITE.com/www/html/ad/".$Image_Dir.$_POST['ContentID'].$_FILES['imagefile'.$i]['name'];
//$upfile="C:/php521/apache2/htdocs/MYSITE.com/www/html/ad/".$Image_Dir.$_POST['ContentID'].$_FILES['imagefile'.$i]['name'];
if($upfile<>$Image_Dir){
$Up_Big_Image = $_POST['ContentID'].$_FILES['imagefile'.$i]['name'];
$ImageDesc=$_POST['ImageDesc'.$i];
$ImageRecOrder=$_POST['RecOrder'.$i];
//if($_FILES['imagefile'.$i]['type'] == "image/pjpeg" || $_FILES['imagefile'.$i]['type'] == "image/gif"){
if($_FILES['imagefile'.$i]['size']/1024 <= $File_Max_Size){
$src_f = $_FILES['imagefile'.$i]['tmp_name'];
system("cp $src_f $upfile");
//if(copy($_FILES['imagefile'.$i]['tmp_name'],$upfile)){
if(file_exists($upfile)){
//copy($_FILES['imagefile'.$i]['tmp_name'],$upfile);
$Return_Text = $upfile." -- ".$_FILES['imagefile'.$i]['tmp_name']." - "."Image $i Succesfully Uploaded..";
// Note where 'Get' and 'request' tags are in the XML
$sql_Text = "insert into ContentImages (ImageName, ImageDate,ImageDescription,ContentID,RecOrder) values ('$Up_Big_Image','$MyDate','$ImageDesc','$_POST[ContentID]','$ImageRecOrder');";
//echo $i."<br>";
$sql_Query = mysql_db_query($db, $sql_Text, $baglanti);
}else{
//$Return_Text ="<b>Error..</b>Invalid Operation.. Please Try Again"." - ".$_FILES['imagefile'.$i]['tmp_name']."<br>";
}
}else{
$Return_Text ="<b>Error...</b> Exceed Maximum File Size. Please Upload Maximum $File_Max_Size k Image Files";
}
//}else{
//$Return_Text = "<b>Error...</b> Invalid File Type.Please Upload only 'jpg' or 'gif' Files";
//}
}else{
$Return_Text = "Do Not Selected Any File for Image $i";
}
return $Return_Text;
}
function Db_Add_Image_Slide($i){
include "database/dbconnection.php";
include "common.php";
$Return_Text = "";
$MyDate = date("Y-m-d");
$_FILES['imagefile'.$i]['name']=Str_Correction_Tr($_FILES['imagefile'.$i]['name']);
$_FILES['imagefile'.$i]['name']=Str_Correction_Space($_FILES['imagefile'.$i]['name'],"");
$upfile=$Image_Dir."IS_".$_FILES['imagefile'.$i]['name'];
//$upfile="C:/php521/apache2/htdocs/MYSITE.com/www/html/ad/".$Image_Dir."IS_".$_FILES['imagefile'.$i]['name'];
$upfile="/www/hostings/konline/MYSITE9ftp/MYSITE.com/www/html/ad/".$Image_Dir."IS_".$_FILES['imagefile'.$i]['name'];
if($upfile<>$Image_Dir){
$Up_Big_Image = "IS_".$_FILES['imagefile'.$i]['name'];
// echo $Up_Big_Image;
$ImageDesc=$_POST['ImageDesc'.$i];
$ImageRecOrder=$_POST['RecOrder'.$i];
//if($_FILES['imagefile'.$i]['type'] == "image/pjpeg" || $_FILES['imagefile'.$i]['type'] == "image/gif"){
if ($_FILES['imagefile'.$i]['size']/1024 <= $File_Max_Size) {
// echo $_FILES['imagefile'.$i]['tmp_name']."----".$upfile;
// if(copy($_FILES['imagefile'.$i]['tmp_name'],$upfile)){
$src_f = $_FILES['imagefile'.$i]['tmp_name'];
system("cp $src_f $upfile");
if(file_exists($upfile)){
$sql_Text = "insert into ImageSlide (ImageName, ImageDate,ImageDescription,ContentID,RecOrder,ImageText,ImageLink) values ('$Up_Big_Image','$MyDate','$ImageDesc','$_POST[ContentID]','$ImageRecOrder','','');";
//echo $sql_Text;
$sql_Query = mysql_db_query($db, $sql_Text, $baglanti);
$Return_Text = "Image $i Succesfully Uploaded..";
}else{
$Return_Text ="<b>Error..</b>Invalid Operation.. Please Try Again";
}
}else{
$Return_Text ="<b>Error...</b> Exceed Maximum File Size. Please Upload Maximum $File_Max_Size k Image Files";
}
//}else{
//$Return_Text = "<b>Error...</b> Invalid File Type.Please Upload only 'jpg' or 'gif' Files";
//}
}else{
$Return_Text = "Do Not Selected Any File for Image $i";
}
return $Return_Text;
}
function Db_Add_File($id){
include "database/dbconnection.php";
include_once "function/func_general.php";
include "common.php";
$Return_Text = "";
$MyDate = date("Y-m-d");
$upfile=$Image_Dir.$id."_".$_POST['FileCategory'].ImageNameCorrection($_FILES['FileName']['name']);
if($upfile<>$Image_Dir){
$Up_Big_Image = $id."_".$_POST['FileCategory'].ImageNameCorrection($_FILES['FileName']['name']);
if($_FILES['FileName']['size']/1024 <= $File_Max_Size2){
if(copy($_FILES['FileName']['tmp_name'],$upfile)){
$sql_Text = "insert into ContentFile (ReservationMasterID, FileName, FileCategory, FileDescription, FileDate) values ('$_POST[ReservationMasterID]','$Up_Big_Image','$_POST[FileCategory]','$_POST[FileDescription]','$_POST[FileDate]');";
$sql_Query = mysql_db_query($db, $sql_Text, $baglanti);
$Return_Text = "Image $i Succesfully Uploaded..";
}else{
$Return_Text ="<b>Error..</b>Invalid Operation.. Please Try Again";
}
}else{
$Return_Text ="<b>Error...</b> Exceed Maximum File Size. Please Upload Maximum $File_Max_Size k Image Files";
}
}else{
$Return_Text = "Do Not Selected Any File for Image $i";
}
return $Return_Text;
}
function add_HotelPrice($HotelID,$RoomID,$BoardBasisID){
include "database/dbconnection.php";
include "common.php";
$RoomPriceAdd_SqlText = "insert into RoomPrice (
RoomID,
RoomHotelID,
RoomBoardBasis,
PriceStartDate,
PriceFinishDate,
Price,
ProfitMargin
) values (
'$RoomID',
'$HotelID',
'$BoardBasisID',
'$_POST[PriceStartDate]',
'$_POST[PriceFinishDate]',
'$_POST[Price]',
'$_POST[ProfitMargin]'
)";
$RoomPriceAdd_Query = mysql_db_query($db, $RoomPriceAdd_SqlText, $baglanti) or die("Sorgu hatali3");
}
function add_HotelAvailability($HotelID,$RoomID,$BoardBasisID){
include "database/dbconnection.php";
include "common.php";
$RoomPriceAdd_SqlText = "insert into RoomAvailability (
RoomID,
RoomHotelID,
RoomBoardBasis,
PriceStartDate,
PriceFinishDate,
Price,
ProfitMargin
) values (
'$RoomID',
'$HotelID',
'$BoardBasisID',
'$_POST[PriceStartDate]',
'$_POST[PriceFinishDate]',
'$_POST[Price]',
'$_POST[ProfitMargin]'
)";
$RoomPriceAdd_Query = mysql_db_query($db, $RoomPriceAdd_SqlText, $baglanti) or die("Sorgu hatali3");
}
?>
我的託管公司建議:
出於安全考慮,系統功能在共享託管服務器上被阻止。請讓您的開發人員使用另一種方式來上傳文件。
我沒有編碼知識,所以你的幫助非常感謝。
我有這樣的代碼中的common.php文件
<?
$PageTitle = "MySite";
$Default_Per_Upload_Image_Count = 6;
$Image_Dir = "PrImage/";
$Image_DirThumb = "Thmb_Image/";
$Image_Dir2 = "images/PrImage/";
$File_Max_Size = 5120;
$File_Max_Size2 = 10240;
$cm_WebSiteAddress = "http://master/cc/";
?>
你正在將用戶輸入添加到文件名中而不會轉義或者檢查是否有'..'目錄正在爬行,值得在這裏添加一些檢查以防你的代碼導致用戶在你的服務器上讀取一個祕密文件,或者覆蓋一個有價值的文件 – halfer