l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2002 Jun 06 20:40

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] php security (was: another php question)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] php security (was: another php question)





Matt Roper wrote:

> With this solution, what keeps people from using something like
> "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> and ..'s to be safe...
>
> Matt
>

Good thinking Matt and Jeff. How about

$file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
                ? ""
                : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];

This checks the first character for a dot by using the substring function
inside
the ternary operator. If someone tries to penetrate your system, file2open
will fail.

>
> On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
> > An easy way around exposing /etc/anything is to do what Apache does with
> > HTML documents: only reference documents inside a relative directory.
> >
> > e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
> >
>
> --
>
> *************************************************
> * Matt Roper <matt@mattrope.com>                *
> * http://www.mattrope.com                       *
> * PGP Key: http://www.mattrope.com/mattrope.asc *
> *************************************************
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.