|
Posted by Colin McKinnon on 01/24/07 22:33
OmegaJunior wrote:
> On Wed, 24 Jan 2007 21:18:55 +0100, Guffi <privat@pc-care.dk> wrote:
>
>> Hi
>>
>> The PHP code is like this in the index-file:
>>
>> include($id);
>>
>
> How about allowing numeric entry only, and concatenating that with a
> string of your own? Like so:
>
> $id = $_GET['id'];
> if (is_numeric($id)) {
> include('page'.$id);
> }
>
Thats a bit restrictive. A more flexible solution would be to supply your
own prefix, e.g.
include('/home/guffi/include/' . $_GET['id']);
Although to avoid a very obvious bug (id=../../../etc/passwd)...
$prefix='/home/guffi/include/';
$file=realpath($prefix . $_GET['id']);
if (substr($file,0,strlen($prefix))==$prefix) {
include($file);
}
(note I've not tested this to make sure it really doesn't allow remote
files).
A better way would be to use an open_basedir or allow_url_fopen setting in
the config (can't be set at runtime) but that will affect all file access.
In the version of PHP I have installed here, stat() on a remote file returns
false (and throws a warning) but this is not a documented behaviour - so
YMMV.
HTH
C.
[Back to original message]
|