Page 1 of 1

security

Posted: Sat May 18, 2002 10:40 pm
by hob_goblin
my website has a loophole that lets anyone include any file they want into my little content window,

Code: Select all

echo "$content";
if(isset($f2inc)){
include($f2inc);
}
is what i have now, anybody know what I could do to check that "$f2inc" is a file on my server?

Posted: Sat May 18, 2002 11:25 pm
by EvilWalrus
file_exists() and is_file() should help you

Posted: Sat May 18, 2002 11:49 pm
by hob_goblin
i know about file_exists() and is_file(), i just want to make sure that it is on MY server, not for instance...yahoo, or something

Posted: Sat May 18, 2002 11:53 pm
by jason
hob_goblin wrote:i know about file_exists() and is_file(), i just want to make sure that it is on MY server, not for instance...yahoo, or something
Actually, you don't know about file_exists().

Read http://ca.php.net/manual/en/function.file-exists.php and in particular, the part that says this:

This function will not work on remote files; the file to be examined must be accessible via the server's filesystem

:D

Posted: Sun May 19, 2002 7:09 am
by volka
;)
you also know the path of your script. Just make sure the requested file is somewhere in this path (or a subdirectory ... or ... or ...)
and if you let them upload files you may use is_uploaded_file and move_uploaded_file to move these files to a valid directory in your webspace

Posted: Sun May 19, 2002 1:16 pm
by hob_goblin
heh you make me feel so stupid, I've only used file_exists() to prompt a script to overwrite or rename a file... I never read that much into it :oops: