Page 2 of 2

Posted: Wed Sep 13, 2006 1:55 pm
by feyd
Everah wrote:Thanks guys. On a side note, does anyone know what the default php.ini setting for log_errors is? I think that for the project I am working it would be helpful to have alook at the PHP generated errors. I have never really looked into the PHP error logs so I am not sure if they are on by default and, if they are on, where the log resides.
Manual says it's off by default, but it is PHP_INI_ALL :)

Posted: Wed Sep 13, 2006 2:02 pm
by RobertGonzalez
Thanks feyd. The new hardware should be in about two weeks and the software setup will take place soon after. I want to make sure that all the hobbyists that may be coding on the development servers see the crap that is getting put into production at the moment. :twisted:

Re: Using $_GET vars directly in include

Posted: Sat Sep 23, 2006 6:02 pm
by shiflett
Everah wrote:What are the potential implications of this code, as you see it here?
As it is written, an attacker can execute any PHP script on the server. On certain platforms, an attacker can also expose any arbitrary file on the server. The only exceptions to these two statements are files that cannot be read by the web server.

Hope that helps.

Posted: Sat Sep 23, 2006 9:21 pm
by RobertGonzalez
Thanks for all the input. Fortunately the company was very quick to adopt my PHP coding standards, which specifically state not to accept user input without some form of validation AND to not use infiltered $_GET requests for includes.

Posted: Tue Sep 26, 2006 3:47 am
by eremini
I think, some of the problems outlined can be prevented by a simple file_exists check first

Posted: Thu Sep 28, 2006 3:47 am
by RobertGonzalez
Yes, they would, but I am of the mindset that you should never take user input and use it directly without some form of validation first.

Posted: Thu Sep 28, 2006 5:39 am
by Maugrim_The_Reaper
Everah 1, Bumbling Developers 0. ;)

Posted: Fri Sep 29, 2006 12:45 am
by RobertGonzalez
w00t! I'm scoring...