PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Nov 16, 2019 9:39 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 60 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
 Post subject:
PostPosted: Sun Aug 14, 2005 8:33 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 9:05 pm 
Offline
Tutorials Group

Joined: Sun Jan 04, 2004 11:30 pm
Posts: 2692


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 9:09 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 9:57 pm 
Offline
DevNet Resident
User avatar

Joined: Fri Aug 16, 2002 8:57 am
Posts: 1834
Location: Watertown, MA


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 9:58 pm 
Offline
DevNet Resident
User avatar

Joined: Fri Aug 16, 2002 8:57 am
Posts: 1834
Location: Watertown, MA


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 10:07 pm 
Offline
Forum Contributor
User avatar

Joined: Sun Feb 06, 2005 12:22 pm
Posts: 124


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 10:13 pm 
Offline
DevNet Resident
User avatar

Joined: Fri Aug 16, 2002 8:57 am
Posts: 1834
Location: Watertown, MA
Yup I've seen that too...

All these little exceptions is why I don't do user-provided includes. If I had to, I'd use the basename function, coupled with a regexp ([-A-Za-z0-9_]), with forced ending (.php or .inc depending on your preference, etc‚). The null-byte, full stops. and slashes wouldn't survive that.

As always, state what you'll accept, not what you'll reject. Its too easy to miss something if you only list the bad stuff.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Aug 14, 2005 11:22 pm 
Offline
Forum Regular
User avatar

Joined: Thu Nov 25, 2004 10:53 pm
Posts: 708
Location: U Michigan
Oh, i see the security holes now. But no - I keep my server as clean as possible.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 10:13 am 
Offline
DevNet Master

Joined: Tue Jan 20, 2004 12:11 am
Posts: 4897
Location: Leuven, Belgium
can come in quite handy ;)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 17, 2005 10:02 am 
Offline
Forum Newbie

Joined: Wed Aug 17, 2005 9:53 am
Posts: 1


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 17, 2005 12:42 pm 
Offline
DevNet Resident
User avatar

Joined: Fri Aug 16, 2002 8:57 am
Posts: 1834
Location: Watertown, MA
Well the null byte can stop the .php. I'm not sure if an attacker could get a series of ^H control code in to delete the prefix, but that might be possible via some encoding or another.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 20, 2005 7:02 pm 
Offline
Forum Newbie

Joined: Wed Aug 03, 2005 10:47 am
Posts: 24
Location: NW Louisiana


Top
 Profile  
 
 Post subject:
PostPosted: Sat Aug 20, 2005 7:16 pm 
Offline
DevNet Resident
User avatar

Joined: Fri Aug 16, 2002 8:57 am
Posts: 1834
Location: Watertown, MA
Yes, an explicit list of approved includes is a much more secure starting point. Its still possible to "mess it up" but its generally much safer.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Oct 10, 2005 8:28 am 
Offline
DevNet Master
User avatar

Joined: Mon Sep 19, 2005 6:24 am
Posts: 3587
Location: London
Bit of forum Necromancy here, I sometimes use the following:
Syntax: [ Download ] [ Hide ]
<?php

$files = array('main', 'accounts', 'page2', 'blahblah', 'etc');



@include('/path/to/includes/' . $files[intval($_GET['pid'])] '.inc') or include('/path/to/includes/default.php');



?>


on my front controller(s) :)


Last edited by Jenk on Tue Oct 11, 2005 4:39 am, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Mon Oct 10, 2005 8:08 pm 
Offline
Forum Regular
User avatar

Joined: Sat Mar 12, 2005 8:13 pm
Posts: 703
Location: US
and that has to be the best way I've ever seen. ;)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 60 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group