Reply to Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder

Your name:

Reply:


Posted by Chris Shiflett on 08/26/05 04:44

Graham Anderson wrote:
> Is the below reasonable safe ?
>
> I have all of my main functions outside the web folder
> I am including this function with every php script that
> accesses fonovisa.inc
>
> function getBrain()
> {
> $temp = explode('.', $_SERVER['SERVER_NAME']);

Because $_SERVER['SERVER_NAME'] can be manipulated by the user in some
cases, you must consider $temp tainted at this point.

> $size = count($temp);
> $server = $temp[$size -2];

Now $server is tainted.

> $brainPath = "/home/".$server."/includes/fonovisa.inc";

Therefore, this is a security vulnerability.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация