security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

security

Post by hob_goblin »

my website has a loophole that lets anyone include any file they want into my little content window,

Code: Select all

echo "$content";
if(isset($f2inc)){
include($f2inc);
}
is what i have now, anybody know what I could do to check that "$f2inc" is a file on my server?
User avatar
EvilWalrus
Site Admin
Posts: 209
Joined: Thu Apr 18, 2002 3:21 pm
Location: Springmont, PA USA

Post by EvilWalrus »

file_exists() and is_file() should help you
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

i know about file_exists() and is_file(), i just want to make sure that it is on MY server, not for instance...yahoo, or something
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

hob_goblin wrote:i know about file_exists() and is_file(), i just want to make sure that it is on MY server, not for instance...yahoo, or something
Actually, you don't know about file_exists().

Read http://ca.php.net/manual/en/function.file-exists.php and in particular, the part that says this:

This function will not work on remote files; the file to be examined must be accessible via the server's filesystem

:D
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

;)
you also know the path of your script. Just make sure the requested file is somewhere in this path (or a subdirectory ... or ... or ...)
and if you let them upload files you may use is_uploaded_file and move_uploaded_file to move these files to a valid directory in your webspace
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

heh you make me feel so stupid, I've only used file_exists() to prompt a script to overwrite or rename a file... I never read that much into it :oops:
Post Reply