我认为这样会起作用:
<?PHP
$path = realpath(dirname(__FILE__) . '/../my_files/' . $_GET['file']);
$parts = explode('/', pathinfo($path, PATHINFO_DIRNAME));
if (end($parts) !== 'my_files') {
// LFI attempt
exit();
}
if (!is_file($path)) {
// file does not exist
exit();
}
header('Content-Type: ' . mime_content_type($path));
header('Content-Length: ' . filesize($path));
readfile($path);