Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder — PHP

You are here: Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder « PHP « IT news, forums, messages

Posted by Chris Shiflett on 08/26/05 04:44

Graham Anderson wrote:
> Is the below reasonable safe ?
>
> I have all of my main functions outside the web folder
> I am including this function with every php script that
> accesses fonovisa.inc
>
> function getBrain()
> {
> $temp = explode('.', $_SERVER['SERVER_NAME']);

Because $_SERVER['SERVER_NAME'] can be manipulated by the user in some
cases, you must consider $temp tainted at this point.

> $size = count($temp);
> $server = $temp[$size -2];

Now $server is tainted.

> $brainPath = "/home/".$server."/includes/fonovisa.inc";

Therefore, this is a security vulnerability.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

Navigation:

Next in forum: Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder
Prev in forum: Re: [PHP] make it remember
Thread view: Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация