English
English
During PHP development, the highlight_file function is a very convenient tool. It can output specified PHP files in a highlight format, which facilitates developers to quickly view the code structure and syntax. However, when using highlight_file to display file contents directly, if the security check of the file path is not done well, it may cause security risks, such as path traversal attacks or exposing sensitive file contents.
This article will combine actual code examples to introduce how to use the highlight_file function safely and efficiently to ensure the highlighting of PHP files.
highlight_file is a built-in PHP function that reads a specified PHP file and outputs it in HTML format with syntax highlighting. The call format is as follows:
highlight_file('File path');
Example:
highlight_file('example.php');
This function will directly output the highlighted code by default. If you want to get the highlighted code in the form of a string, you can pass the second parameter true .
If the path entered by the user is directly passed to highlight_file , it is easy to cause path traversal attacks, such as user input:
../../../../etc/passwd
Or access sensitive files on the server that should not be viewed, causing the risk of data leakage. Therefore, the file path must be strictly filtered and verified before calling highlight_file .
Below is a sample code that shows how to safely call highlight_file with strict checks on file paths.
<?php
// Define the root path of the file directory that is allowed to be displayed
define('BASE_DIR', __DIR__ . '/php_files/');
// Get the file name requested by the user
$file = $_GET['file'] ?? '';
// Basic safety inspection,Avoid empty file names or containing illegal characters
if (empty($file) || preg_match('/[^a-zA-Z0-9_\-\.]/', $file)) {
die('Invalid file name');
}
// The absolute path to the splicing file
$filePath = realpath(BASE_DIR . $file);
// Further verify whether the path is in the allowed directory,Prevent paths from traversing
if ($filePath === false || strpos($filePath, realpath(BASE_DIR)) !== 0) {
die('非法File path');
}
// Check if the file exists and is a normal file
if (!is_file($filePath)) {
die('The file does not exist');
}
// Callhighlight_fileOutput highlight code
highlight_file($filePath);
?>
Limited directory : Define the root directory that allows the display of files through BASE_DIR to avoid users from accessing system files at will.
Character verification : Restrict file names to contain only letters, numbers, underscores, short horizontal lines and points, and exclude special characters.
realpath function : parses and normalizes the path to prevent path traversal attacks.
Path prefix matching : Confirm that the real path of the file must be prefixed with the allowed directory to prevent bypassing restrictions.
File Existence Check : Make sure that the specified file does exist and is a normal file.
Suppose you will place the PHP files you allow to view in the project's php_files directory, and use the URL when accessing:
http://gitbox.net/show_code.php?file=test.php
The request will safely read and highlight the contents of the php_files/test.php file.
Using the highlight_file function with strict file path check can greatly improve the security and stability of the code browsing function and avoid the risk of path crossing and sensitive file leakage. The key to best practice is:
Limited accessible root directory;
Verify that the file name conforms to the legality;
Use realpath as path specification;
Verify that the file path must be in the specified directory;
Confirm that the file exists and is a normal file.
Such a complete inspection process not only ensures flexible code viewing, but also ensures server security.
