yungbloodreborn Posted September 7, 2006 Share Posted September 7, 2006 I know it's insecure to read a file based on a user input. But what about something like this?Is this secure enough to trust? I think my server is also using open_base.[code]include 'dir/'.$_get['msg'].'.php';[/code] Quote Link to comment https://forums.phpfreaks.com/topic/20014-php-security-question/ Share on other sites More sharing options...
ober Posted September 7, 2006 Share Posted September 7, 2006 You're just asking for trouble by including user-submitted content like that. No matter how you do it. Quote Link to comment https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87767 Share on other sites More sharing options...
shoz Posted September 7, 2006 Share Posted September 7, 2006 [quote author=yungbloodreborn link=topic=107232.msg429907#msg429907 date=1157639406]I know it's insecure to read a file based on a user input. But what about something like this?Is this secure enough to trust? I think my server is also using open_base.[code]include 'dir/'.$_get['msg'].'.php';[/code][/quote]It's not secure. As ober said, you shouldn't be using raw user input in an include. You can use a method similar to the one posted here.http://www.phpfreaks.com/forums/index.php/topic,95407.msg382014.html#msg382014 Quote Link to comment https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87790 Share on other sites More sharing options...
yungbloodreborn Posted September 7, 2006 Author Share Posted September 7, 2006 To give a better idea what I'm trying to do, I'm creating a message board. The files in the dir I'm reading from are numbered 1 through $count. i.e. 1.php, 2.php, 3.php, etc...each one is a message. Is there an easy way to make sure that $_GET['msg'] is a number between 1 and $count so I can be sure they aren't passing anything they shouldn't? Quote Link to comment https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87951 Share on other sites More sharing options...
shoz Posted September 7, 2006 Share Posted September 7, 2006 The following makes the value in $msg_id assigned from $_GET[msg'] an int regardless of what was input. [url=http://www.php.net/manual/en/language.types.type-juggling.php#language.types.typecasting]type casting[/url][code]<?php$count = 10;$msg_id = isset($_GET['msg'])? (int)$_GET['msg']: 0;if (($msg_id >= 1) && ($msg_id <= $count)){ print "msg id $msg_id is valid";}else{ print 'not valid';}?>[/code]You can use [url=http://php.net/preg_match]preg_match()[/url] or [url=http://www.php.net/manual/en/function.ctype-digit.php]ctype_digit()[/url] if you'd like to make sure that only digits were in the "msg" number sent originally. Quote Link to comment https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87992 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.