|
|
Posted by NoWhereMan on 09/03/06 12:15
on Sun, 3 Sep 2006 14:03:23 +0200, Janwillem Borleffs wrote:
> NoWhereMan wrote:
>> would you please help me find any security flaw in this code (if any)?
>> thank you so much
>>
>> http://paste.uni.cc/9829
>>
>
> I assume you have properly set your base dir restriction directive in your
> php.ini file to handle cases where $_REQUEST['f'] would be defined as
> '../someprivatedir/dbconnect.php'?
>
> JW
actually I can't as I don't own the webserver (and as the script is
suppsoed to be distributed), and that's why I've put these lines:
if (strpos($name, '..')!==false || strpos($name,'/')!==false)
die('Invalid file name!');
--
NoWhereMan
-- NoWhereBlog: www.nowhereland.it
-- deviantArt: http://nowhereland.deviantart.com
-- Giochi a BiteFight? http://bitefight.nowhereland.it/
-- Vagisil migliora la tua vita intima: www.vagisil.com/teencenter.shtml
Navigation:
[Reply to this message]
|