3v4l.org

run code in 300+ PHP versions simultaneously
<?php ini_set('dsiplay_errors', 'On'); error_reporting(-1); $i = array( 'save' => '1.png', // valide input 'dt' => '../../1.png', // directory traversal (dt) 'dt_url_e' => urlencode('../../1.png'), // dt url-encoded 'dt_durl_e' => urlencode(urlencode('../../1.png')), // dt double url-encoded 'dt_utf8' => '..%c0%af..%c0%af1.png', // dt utf-8 encoded 'dt_url_d' => urldecode('../../1.png'), // dt url decoded 'dt_nb_d' => '../../1.png%00', // dt with null byte 'dt_nb' => '../../1.png ', // dt with space char ); foreach($i as $k=>$s) { echo '----------------------------------'."\n"; echo '** case: '.$k."\n\n"; fi($s); echo '----------------------------------'."\n\n"; } function fi($s) { $s_d = urldecode($s); $p = pathinfo($s); echo 'input: '.$s."\n"; echo 'input urldecoded: '.$s_d."\n"; echo 'realpath: '.realpath($s)."\n"; echo 'basename: '.basename($s)."\n"; echo 'realpath url-d: '.realpath($s_d)."\n"; echo 'basename url-d: '.basename($s_d)."\n"; var_dump($p); }

preferences:
37.9 ms | 402 KiB | 5 Q