Re: securing — PHP Programming Language — IT news, forums, messages

You are here: Re: securing « PHP Programming Language « IT news, forums, messages

Posted by Andy Jeffries on 03/29/06 14:17

On Wed, 29 Mar 2006 11:31:46 +0200, Frank Mutze wrote:

> hello
>
> Is there a method to forbid an attacker to exploit download.php in
> grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../etc/passwd

Use http://uk.php.net/realpath to convert it to a normal path and then use
one of the many string comparing functions to check it's within your
acceptable path.

Cheers,

Andy

--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

Navigation:

Next in forum: Re: Content Management System
Prev in forum: Re: removing php on a mac with tiger
Thread view: Re: securing

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация