But according to online records using PHP manual, after PHP 5.5 version, shut down for safety offic

But according to online records using PHP manual, after PHP 5.5 version, shut down for safety office 2013 reasons this feature. To use the function curl_file_create (), Reference PHP Manual: curl_file_create. office 2013 The reason is very simple, because you can not distinguish between curl and really want to upload a file or just the beginning of the input string @ characters. If you designed a data upload with curl POST program, and allows the user to input data fields, then the hacker can deliberately insert @ / etc / passwd will let curl list of accounts on the host got out.
Like the following code example, you design office 2013 field field1 is a string field, allowing users to enter text, such as hello world. If hackers to seize it, deliberately enter @ / etc / passwd, then curl will think this is going to upload files, try to read the / etc / passwd and it sends the content. $ Fields = array ('field1' => $ input_string); $ opts = array (CURLOPT_POST => true, CURLOPT_POSTFIELDS => $ fields); curl_setopt_array ($ hr, $ opts);
To fix this security issue, PHP 5.5 after closed office 2013 the shortcut file to upload (with configuration items can turn this feature, but for safety reasons, I do not recommend it). If you want to upload a form field that contains file type, then the designer office 2013 must explicitly use curl_file_create () function handles this data field. Of course, the designer is necessary to check the file path is safe. Fortunately, this adjustment is very easy to modify. As follows: $ fields = array (// 'field1' => '@' $ file_path # INSECURITY 'field1' => curl_file_create ($ file_path) # Good.!.); $ Opts = array (CURLOPT_POST => true, CURLOPT_POSTFIELDS => $ fields); curl_setopt_array ($ hr, $ opts);
PHP 5.4 and earlier for older users, you can refer users to share a lazy alternative method, add the following code definitions. # For PHP <5.5: # See also: http://php.net/manual/en/function.curl-file-create.php if {function curl_file_create ($ filename, $ mimetype (function_exists ('curl_file_create')!) = '', $ postname = '') {return "@ $ filename; filename =" ($ postname:? basename ($ filename)..?) ($ mimetype "; type = $ mimetype": '');} }
Finally, office 2013 to provide a version of PHP is not ignoring the way through the curl that following do_post_request () function. function do_post_request ($ url, $ postdata = false, office 2013 $ files = false) {$ destination = $ url; $ eol = "\ r \ n"; $ data = ''; $ mime_boundary = md5 (time ()); $ ... data = '-' $ mime_boundary $ eol; // Collect Postdata if ($ postdata) {foreach ($ postdata as $ key => $ val) {$ data = "- $ mime_boundary \ n".; .. $ data = "Content-Disposition: form-data; office 2013 name =".... "$ key" "\ n \ n" $ val "\ office 2013 n";}} $ data = "- $ mime_boundary \ n "; office 2013 if ($ files) {foreach ($ files as $ key => $ content) {$ data = 'Content-Disposition: form-data; name =."'.. $ key '"; filename ="'. $ key '"' $ eol; $ data =... 'Content-Type: application office 2013 / octet-stream' $ eol; $ data =.... 'Content-Transfer-Encoding: binary' $ eol $ eol; $ .. data = $ content office 2013 $ eol;.....}} $ data = "-" $ mime_boundary "-" $ eol $ eol; // finish with two eol's !! $ params = array ('http' office 2013 => array ('method' => 'POST', 'header' => 'Content-Type: multipart office 2013 / form-data; boundary =' $ mime_boundary $ eol, 'content' => $ data..)); $ ctx = stream_context_create ($ params); $ response =file_get_contents ($ destination, FILE_TEXT, $ ctx); return $ response;}