linux防止php 伪造本地文件解决方法

http://www.xxx.com/index.php?page=../etc/passwd
http://www.xxx.com/index.php?page=../../../etc/passwd
http://www.xxx.com/index.php?page=..../../etc/passwd

获取更多数据:
etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

?page=intval($_GET);

$body = htmlspecialchars(isset($_GET[$str])?$_GET[$str]:'');

代码如下:
<?php
   /*   网站验证码程序
    *   运行环境： PHP5.0.18 下调试通过
    *   需要 gd2 图形库支持（PHP.INI中 php_gd2.dll开启）
    *   文件名: showimg.php
    *   作者：  17php.com
    *   Date:   2007.03
    */

   //随机生成一个4位数的数字验证码
    $num="";
    for($i=0;$i<4;$i++){
    $num .= rand(0,9);
    }
   //4位验证码也可以用rand(1000,9999)直接生成
   //将生成的验证码写入session，备验证页面使用
    Session_start();
    $_SESSION["Checknum"] = $num;
   //创建图片，定义颜色值
    Header("Content-type: image/PNG");
    srand((double)microtime()*1000000);
    $im = imagecreate(60,20);
    $black = ImageColorAllocate($im, 0,0,0);
    $gray = ImageColorAllocate($im, 200,200,200);
    imagefill($im,0,0,$gray);

    //随机绘制两条虚线，起干扰作用
    $style = array($black, $black, $black, $black, $black, $gray, $gray, $gray, $gray, $gray);
    imagesetstyle($im, $style);
    $y1=rand(0,20);
    $y2=rand(0,20);
    $y3=rand(0,20);
    $y4=rand(0,20);
    imageline($im, 0, $y1, 60, $y3, IMG_COLOR_STYLED);
    imageline($im, 0, $y2, 60, $y4, IMG_COLOR_STYLED);

    //在画布上随机生成大量黑点，起干扰作用;
    for($i=0;$i<80;$i++)
    {
   imagesetpixel($im, rand(0,60), rand(0,20), $black);
    }
    //将四个数字随机显示在画布上,字符的水平间距和位置都按一定波动范围随机生成
    $strx=rand(3,8);
    for($i=0;$i<4;$i++){
    $strpos=rand(1,6);
    imagestring($im,5,$strx,$strpos, substr($num,$i,1), $black);
    $strx+=rand(8,12);
    }
    ImagePNG($im);
    ImageDestroy($im);
   ?>

<?php   
/*   
* 文件:chinesechar.php   
* 作用:汉字数据储存   
*/   
$ChineseChar = array("人","出","来","友","学","孝","仁","义","礼","廉","忠","国","中","易","白","者","火 ","土","金","木","雷","风","龙","虎","天","地",   "生","晕","菜","鸟","田","三","百","钱","福 ","爱","情","兽","虫","鱼","九","网","新","度","哎","唉","啊","哦","仪","老","少","日",   "月 ","星");   
?>   

<?php   
/*   
* 文件:check.php   
* 作用:验证   

*/   
session_start();   
$errorMSG = '';   
//验证用户输入是否和验证码一致   
if(!is_null($_POST['check']))   
{   
        if (strcasecmp($_SESSION['code'],$_POST['code'])==0)   
            $errorMSG = "<p style="font-size:12px;color:#009900">验证成功!</p>";   
        else   
            $errorMSG = "<p style="font-size:12px;color:#FF0000">验证失败!</p>";   
}   
?>   
<html>   
<head>   
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">   
</head>   
<body>   
<?php   
if($errorMSG){   
echo $errorMSG;   
}   
?>   
<form action=<?php echo $_SERVER['PHP_SELF']?> method=post>   
请输入验证码：<input type="text" name="code" style="width:   
80px"><img src="code.php">   
<br>   
<input type="submit" name="check" value="提交验证码">   
</form>   
</body>   
</html>   

<?php   
/*   
* 文件:code.php   
* 作用:验证码生成   
 
* 特注:由 没牙的草 指导 版权所有转载注明出处!有付出才会有收获! 
*/   
include_once("chinesechar.php");   
session_start();   
// 设置 content-type   
header("Content-type: image/png");   
// 创建图片   
$im = imagecreatetruecolor(120, 30);   

// 创建颜色   
$fontcolor = imagecolorallocate($im, 255, 255, 255);   
$bg = imagecolorallocate($im, 0, 0, 0);   

// 设置文字   
for($i=0;$i<4;$i++) $text .= $ChineseChar[(array_rand($ChineseChar))];   

$_SESSION['code'] = $text;   
// 设置字体   
$font = 'simkai.ttf';   

// 添加文字   
imagettftext($im, 18, 0, 11, 21, $fontcolor, $font, iconv("GB2312","UTF-8",$text));   

// 输出图片   
imagepng($im);   
imagedestroy($im);   
?>

<?php

class ImageCode{
 private $width;//验证码图片宽度
 private $height;//验证码图片高度
 private $codeNum;//验证码字符个数
 private $checkCode;//验证码字符
 private $image;//验证码画布
 function __construct($width=60,$height=20,$codeNum=4){
  $this->width=$width;
  $this->height=$height;
  $this->codeNum=$codeNum;
  $this->checkCode=$this->createCheckCode();
 }
 
 function getcreateImage(){
  $this->getcreateImage();
  $this->outputText();
  $this->setDisturbColor();
  $this->outputImage();
 }
 function getCheckCode(){
  return $this->checkCode;
 }
 
 private function getCreateImage(){
  $this->image=imagecreatetruecolor($this->width,$this->height);
  $black=imagecolorallocate($this->image,255,255,255,0);
  $border=imagecolorallocate($this->image,255,255,255,255);
  imagefilledrectangle($this->image,0,0,$this->width-1,$this->height-1,$border);
 }

 private function createCheckCode(){
  for($i=0;$i<$this->codeNum;$i){
   $number=rand(0,2);
   switch($number){
    case 0:
     $rand_number=rand(48,57);//数字
     break;
    case 1:
     $rand_number=rand(65,90);//大写字母
     break;
    case 2:
     $rand_number=rand(97,122);
     break;
   }
   $asc=sprintf("%c",$rand_number);
   $asc_number=$asc_number.$asc;
  }
  return $asc_number;
 }

 private function setDisturbColor(){
  for($i=0;$i<=100;$i++){
   $color=imagecolorallocate($this->image,255,255,255);
   imagesetpixel($this->image,rand(1,$this->width-2),rand(1,$this->height-2),$color);
  }
 }

 private function outputImage(){
  if(imagetypes()&IMG_GIF){
   header("Content_type:image/gif");
   imagegif($this->image);
  }elseif(imagetypes()&IMG_JGP){
   header("Content_type:image/jpeg");
   imagejpeg($this->image,"",0.5);
  }else{
   die("PHP不支持图像创建");
  }
 }

 function __destruct(){
  imagedestroy($this->image);
 }
}

?>

<?php
session_start();

if( isset($_POST['submit'])) {
   if( $_SESSION['security_code'] == $_POST['security_code'] && !empty($_SESSION['security_code'] ) ) {
  // Insert you code for processing the form here, e.g emailing the submission, entering it into a database.
  echo 'Thank you. Your message said "'.$_POST['message'].'"';
  unset($_SESSION['security_code']);
   } else {
  // Insert your code for showing an error message here
  echo 'Sorry, you have provided an invalid security code';
   }
} else {
?>

 <form action="form.php" method="post">
  <label for="name">Name: </label><input type="text" name="name" id="name" /><br />
  <label for="email">Email: </label><input type="text" name="email" id="email" /><br />
  <label for="message">Message: </label><textarea rows="5" cols="30" name="message" id="message"></textarea><br />
  <img src="CaptchaSecurityImages.php?width=100&height=40&characters=5" /><br />
  <label for="security_code">Security Code: </label><input id="security_code" name="security_code" type="text" /><br />
  <input type="submit" name="submit" value="Submit" />
 </form>

<?php
 }
?>

<?php
session_start();

/*
* File: CaptchaSecurityImages.php
* Author: Simon Jarvis
* Copyright: 2006 Simon Jarvis
* Date: 03/08/06
* Updated: 07/02/07
* Requirements: PHP 4/5 with GD and FreeType libraries
* Link: http://www.white-hat-web-design.co.uk/articles/php-captcha.php
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details:
* http://www.gnu.org/licenses/gpl.html
*
*/

class CaptchaSecurityImages {

 var $font = 'monofont.ttf';

 function generateCode($characters) {
  /* list all possible characters, similar looking characters and vowels have been removed */
  $possible = '23456789bcdfghjkmnpqrstvwxyz';
  $code = '';
  $i = 0;
  while ($i < $characters) {
   $code .= substr($possible, mt_rand(0, strlen($possible)-1), 1);
   $i++;
  }
  return $code;
 }

 function CaptchaSecurityImages($width='120',$height='40',$characters='6') {
  $code = $this->generateCode($characters);
  /* font size will be 75% of the image height */
  $font_size = $height * 0.75;
  $image = @imagecreate($width, $height) or die('Cannot initialize new GD image stream');
  /* set the colours */
  $background_color = imagecolorallocate($image, 255, 255, 255);
  $text_color = imagecolorallocate($image, 20, 40, 100);
  $noise_color = imagecolorallocate($image, 100, 120, 180);
  /* generate random dots in background */
  for( $i=0; $i<($width*$height)/3; $i++ ) {
   imagefilledellipse($image, mt_rand(0,$width), mt_rand(0,$height), 1, 1, $noise_color);
  }
  /* generate random lines in background */
  for( $i=0; $i<($width*$height)/150; $i++ ) {
   imageline($image, mt_rand(0,$width), mt_rand(0,$height), mt_rand(0,$width), mt_rand(0,$height), $noise_color);
  }
  /* create textbox and add text */
  $textbox = imagettfbbox($font_size, 0, $this->font, $code) or die('Error in imagettfbbox function');
  $x = ($width - $textbox[4])/2;
  $y = ($height - $textbox[5])/2;
  imagettftext($image, $font_size, 0, $x, $y, $text_color, $this->font , $code) or die('Error in imagettftext function');
  /* output captcha image to browser */
  header('Content-Type: image/jpeg');
  imagejpeg($image);
  imagedestroy($image);
  $_SESSION['security_code'] = $code;
 }

}

$width = isset($_GET['width']) ? $_GET['width'] : '120';
$height = isset($_GET['height']) ? $_GET['height'] : '40';
$characters = isset($_GET['characters']) && $_GET['characters'] > 1 ? $_GET['characters'] : '6';

$captcha = new CaptchaSecurityImages($width,$height,$characters);

?>