Re: securing — PHP Programming Language — IT news, forums, messages

You are here: Re: securing « PHP Programming Language « IT news, forums, messages

Posted by d on 03/29/06 19:02

"Frank Mutze" <nospam@all.net> wrote in message
news:e0dk62$hkc$1@s1.news.oleane.net...
> hello
>
> Is there a method to forbid an attacker to exploit download.php
> in grabbing some "sensitive" file ?
>
> I mean using that kind of trick
>
> download.php?filename=../../../../../../../../../../../../etc/passwd
>
> thanks you

The easiest way is to remove any path elements that navigate up the
directory structure:

$path=str_replace("../", "", $path);

that would at least keep it within your documentroot. Comparing the
realpath() is the most secure, however.

dave

Navigation:

Next in forum: Re: how does one send a large string as a POST to another web page?
Prev in forum: PHP-JAVA bridge
Thread view: Re: securing

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация