出于安全原因禁用system()时如何复制文件?

时间:2014-04-21 16:37:32

标签: php file security upload substitution

当我尝试上传图片时,会发生以下错误:

  

错误讯息:   警告:出于安全原因,在H:\ root \ home \ folder-001 \ www \ MYSITE \ ad \ function \ func_add.php

中已禁用system()

我的代码:

<?
if(1>2){
?>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9" />
<?
}
?>
<?

function ImageNameCorrection($str){
$myCheck = array(" ","ç", "Ç", "İ","i","Ş","ş","Ö","ö","Ü","ü","Ğ","ğ");
$myReplace   = array("","c", "C", "I","i","S","s","O","o","U","u","G","g");
$newStr = str_replace($myCheck, $myReplace, $str);
return $newStr;
}


function Db_Add_Main($TbID){
include "general/gen_tb_str.php";
include "database/dbconnection.php";
 include_once "function/func_general.php";
  $sql_Text = "insert into $TableName[$TbID] (";
  for($FiledCount=1;$FiledCount<count($TableField[$TbID]);$FiledCount++ ){
    $sql_Text = $sql_Text.$TableField[$TbID][$FiledCount];
    if($FiledCount+1<>count($TableField[$TbID])){
      $sql_Text = $sql_Text.', ';
   }
  }
  $sql_Text = $sql_Text.') values(';
  for($FiledCount=1;$FiledCount<count($TableField[$TbID]);$FiledCount++ ){
    $CrSql_Text_Addition = Str_Correction($_POST[$TableField[$TbID][$FiledCount]]);
    $sql_Text = $sql_Text."'".$CrSql_Text_Addition."'";
    if($FiledCount+1<>count($TableField[$TbID])){
      $sql_Text = $sql_Text.', ';
    }
  }

  $sql_Text = $sql_Text.")";
  //echo $sql_Text;
  if($sql_Quary = mysql_db_query($db, $sql_Text, $baglanti)){
    return true; 
  }else{
     return false;
  }

}

function Db_Add_Image_File($i){
  include "database/dbconnection.php";
  include "common.php";
  $Return_Text = "";
  $MyDate = date("Y-m-d");
  $_FILES['imagefile'.$i]['name']=Str_Correction_Tr($_FILES['imagefile'.$i]['name']);
  $_FILES['imagefile'.$i]['name']=Str_Correction_Space($_FILES['imagefile'.$i]['name'],"");
  $upfile="/www/hostings/konline/MYSITEFTP/MYSITE.com/www/html/ad/".$Image_Dir.$_POST['ContentID'].$_FILES['imagefile'.$i]['name'];
  //$upfile="C:/php521/apache2/htdocs/MYSITE.com/www/html/ad/".$Image_Dir.$_POST['ContentID'].$_FILES['imagefile'.$i]['name'];
    if($upfile<>$Image_Dir){
      $Up_Big_Image = $_POST['ContentID'].$_FILES['imagefile'.$i]['name'];
      $ImageDesc=$_POST['ImageDesc'.$i];
      $ImageRecOrder=$_POST['RecOrder'.$i];
      //if($_FILES['imagefile'.$i]['type'] == "image/pjpeg" || $_FILES['imagefile'.$i]['type'] == "image/gif"){
        if($_FILES['imagefile'.$i]['size']/1024 <= $File_Max_Size){
         $src_f = $_FILES['imagefile'.$i]['tmp_name'];
            system("cp $src_f $upfile");            

          //if(copy($_FILES['imagefile'.$i]['tmp_name'],$upfile)){  
          if(file_exists($upfile)){      


//copy($_FILES['imagefile'.$i]['tmp_name'],$upfile);
$Return_Text = $upfile." -- ".$_FILES['imagefile'.$i]['tmp_name']." - "."Image $i Succesfully Uploaded..";

    // Note where 'Get' and 'request' tags are in the XML


            $sql_Text = "insert into ContentImages (ImageName, ImageDate,ImageDescription,ContentID,RecOrder) values ('$Up_Big_Image','$MyDate','$ImageDesc','$_POST[ContentID]','$ImageRecOrder');";             
            //echo $i."<br>";
            $sql_Query = mysql_db_query($db, $sql_Text, $baglanti);

          }else{
           //$Return_Text ="<b>Error..</b>Invalid Operation.. Please Try Again"." - ".$_FILES['imagefile'.$i]['tmp_name']."<br>";
          }
        }else{
          $Return_Text ="<b>Error...</b> Exceed Maximum File Size. Please Upload Maximum $File_Max_Size k Image Files";
        }
      //}else{
        //$Return_Text = "<b>Error...</b> Invalid File Type.Please Upload only 'jpg' or 'gif' Files";
      //}
    }else{
      $Return_Text = "Do Not Selected Any File for Image $i";
    }

  return  $Return_Text;
}


function Db_Add_Image_Slide($i){
  include "database/dbconnection.php";
  include "common.php";
  $Return_Text = "";
  $MyDate = date("Y-m-d");
  $_FILES['imagefile'.$i]['name']=Str_Correction_Tr($_FILES['imagefile'.$i]['name']);
  $_FILES['imagefile'.$i]['name']=Str_Correction_Space($_FILES['imagefile'.$i]['name'],"");
  $upfile=$Image_Dir."IS_".$_FILES['imagefile'.$i]['name'];
  //$upfile="C:/php521/apache2/htdocs/MYSITE.com/www/html/ad/".$Image_Dir."IS_".$_FILES['imagefile'.$i]['name'];
  $upfile="/www/hostings/konline/MYSITE9ftp/MYSITE.com/www/html/ad/".$Image_Dir."IS_".$_FILES['imagefile'.$i]['name'];
    if($upfile<>$Image_Dir){
      $Up_Big_Image = "IS_".$_FILES['imagefile'.$i]['name'];
    //  echo   $Up_Big_Image;
      $ImageDesc=$_POST['ImageDesc'.$i];
      $ImageRecOrder=$_POST['RecOrder'.$i];
      //if($_FILES['imagefile'.$i]['type'] == "image/pjpeg" || $_FILES['imagefile'.$i]['type'] == "image/gif"){

        if ($_FILES['imagefile'.$i]['size']/1024 <= $File_Max_Size) {
           // echo $_FILES['imagefile'.$i]['tmp_name']."----".$upfile;
         // if(copy($_FILES['imagefile'.$i]['tmp_name'],$upfile)){  
         $src_f = $_FILES['imagefile'.$i]['tmp_name'];
            system("cp $src_f $upfile");      

         if( file_exists($upfile)){    
            $sql_Text = "insert into ImageSlide (ImageName, ImageDate,ImageDescription,ContentID,RecOrder,ImageText,ImageLink) values ('$Up_Big_Image','$MyDate','$ImageDesc','$_POST[ContentID]','$ImageRecOrder','','');";              
           //echo $sql_Text;
            $sql_Query = mysql_db_query($db, $sql_Text, $baglanti);
            $Return_Text = "Image $i Succesfully Uploaded..";
          }else{
           $Return_Text ="<b>Error..</b>Invalid Operation.. Please Try Again";
          }
        }else{
          $Return_Text ="<b>Error...</b> Exceed Maximum File Size. Please Upload Maximum $File_Max_Size k Image Files";
        }
      //}else{
        //$Return_Text = "<b>Error...</b> Invalid File Type.Please Upload only 'jpg' or 'gif' Files";
      //}
    }else{
      $Return_Text = "Do Not Selected Any File for Image $i";
    }

  return  $Return_Text;
}


function Db_Add_File($id){
  include "database/dbconnection.php";
  include_once "function/func_general.php";
  include "common.php";
  $Return_Text = "";
  $MyDate = date("Y-m-d");
  $upfile=$Image_Dir.$id."_".$_POST['FileCategory'].ImageNameCorrection($_FILES['FileName']['name']);
    if($upfile<>$Image_Dir){
      $Up_Big_Image = $id."_".$_POST['FileCategory'].ImageNameCorrection($_FILES['FileName']['name']);
        if($_FILES['FileName']['size']/1024 <= $File_Max_Size2){
          if(copy($_FILES['FileName']['tmp_name'],$upfile)){        
            $sql_Text = "insert into ContentFile (ReservationMasterID, FileName, FileCategory, FileDescription, FileDate) values ('$_POST[ReservationMasterID]','$Up_Big_Image','$_POST[FileCategory]','$_POST[FileDescription]','$_POST[FileDate]');";               
            $sql_Query = mysql_db_query($db, $sql_Text, $baglanti);
            $Return_Text = "Image $i Succesfully Uploaded..";
          }else{
           $Return_Text ="<b>Error..</b>Invalid Operation.. Please Try Again";
          }
        }else{
          $Return_Text ="<b>Error...</b> Exceed Maximum File Size. Please Upload Maximum $File_Max_Size k Image Files";
        }
    }else{
      $Return_Text = "Do Not Selected Any File for Image $i";
    }
  return  $Return_Text;
}




function add_HotelPrice($HotelID,$RoomID,$BoardBasisID){
  include "database/dbconnection.php";
  include "common.php";
        $RoomPriceAdd_SqlText = "insert into RoomPrice (
        RoomID,
        RoomHotelID,
        RoomBoardBasis,         
        PriceStartDate,
        PriceFinishDate,
        Price,
        ProfitMargin
        ) values (
        '$RoomID',
        '$HotelID',
        '$BoardBasisID',
        '$_POST[PriceStartDate]',
        '$_POST[PriceFinishDate]',
        '$_POST[Price]',
        '$_POST[ProfitMargin]'
        )";
        $RoomPriceAdd_Query = mysql_db_query($db, $RoomPriceAdd_SqlText, $baglanti) or die("Sorgu hatali3");

}

function add_HotelAvailability($HotelID,$RoomID,$BoardBasisID){
  include "database/dbconnection.php";
  include "common.php";
        $RoomPriceAdd_SqlText = "insert into RoomAvailability (
        RoomID,
        RoomHotelID,
        RoomBoardBasis,         
        PriceStartDate,
        PriceFinishDate,
        Price,
        ProfitMargin
        ) values (
        '$RoomID',
        '$HotelID',
        '$BoardBasisID',
        '$_POST[PriceStartDate]',
        '$_POST[PriceFinishDate]',
        '$_POST[Price]',
        '$_POST[ProfitMargin]'
        )";
        $RoomPriceAdd_Query = mysql_db_query($db, $RoomPriceAdd_SqlText, $baglanti) or die("Sorgu hatali3");

}



?>

我的托管公司建议:

  

出于安全考虑,系统功能在我们的共享托管服务器上被阻止。请让您的开发人员使用其他方式上传文件。

我没有编码知识,所以非常感谢您的帮助。

我在common.php文件中有这个代码

<?
$PageTitle = "MySite";

  $Default_Per_Upload_Image_Count = 6;
  $Image_Dir = "PrImage/";
  $Image_DirThumb = "Thmb_Image/";
  $Image_Dir2 = "images/PrImage/";
  $File_Max_Size = 5120;
  $File_Max_Size2 = 10240;
  $cm_WebSiteAddress = "http://master/cc/";
?>

2 个答案:

答案 0 :(得分:3)

您正在发出系统调用以复制文件:

system("cp $src_f $upfile");

PHP完全能够自行复制文件。该函数称为copy()

Reference

答案 1 :(得分:0)

查看您的php.ini文件并搜索disable_functions。您可以从列表中删除所需内容(包括system()功能。