[vox-tech] php security (was: another php question)
Tim Riley
vox-tech@lists.lugod.org
Thu, 06 Jun 2002 14:12:25 -0700
Matt Roper wrote:
> With this solution, what keeps people from using something like
> "../../../etc/shadow" as $arg? You'd probably need to strip out slashes
> and ..'s to be safe...
>
> Matt
>
Good thinking Matt and Jeff. How about
$file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
? ""
: $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
This checks the first character for a dot by using the substring function
inside
the ternary operator. If someone tries to penetrate your system, file2open
will fail.
>
> On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
> > An easy way around exposing /etc/anything is to do what Apache does with
> > HTML documents: only reference documents inside a relative directory.
> >
> > e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
> >
>
> --
>
> *************************************************
> * Matt Roper <matt@mattrope.com> *
> * http://www.mattrope.com *
> * PGP Key: http://www.mattrope.com/mattrope.asc *
> *************************************************
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech