Jump to content

Archived

This topic is now archived and is closed to further replies.

yungbloodreborn

PHP security question.

Recommended Posts

I know it's insecure to read a file based on a user input. But what about something like this?
Is this secure enough to trust?  I think my server is also using open_base.
[code]include 'dir/'.$_get['msg'].'.php';[/code]

Share this post


Link to post
Share on other sites
You're just asking for trouble by including user-submitted content like that.  No matter how you do it.

Share this post


Link to post
Share on other sites
[quote author=yungbloodreborn link=topic=107232.msg429907#msg429907 date=1157639406]
I know it's insecure to read a file based on a user input. But what about something like this?
Is this secure enough to trust?  I think my server is also using open_base.
[code]include 'dir/'.$_get['msg'].'.php';[/code]
[/quote]
It's not secure. As ober said, you shouldn't be using raw user input in an include.

You can use a method similar to the one posted here.
http://www.phpfreaks.com/forums/index.php/topic,95407.msg382014.html#msg382014

Share this post


Link to post
Share on other sites
To give a better idea what I'm trying to do, I'm creating a message board. The files in the dir I'm reading from are numbered 1 through $count.  i.e. 1.php, 2.php, 3.php, etc...each one is a message. Is there an easy way to make sure that $_GET['msg'] is a number between 1 and $count so I can be sure they aren't passing anything they shouldn't?

Share this post


Link to post
Share on other sites
The following makes the value in $msg_id assigned from $_GET[msg'] an int regardless of what was input. [url=http://www.php.net/manual/en/language.types.type-juggling.php#language.types.typecasting]type casting[/url]
[code]
<?php
$count = 10;

$msg_id = isset($_GET['msg'])? (int)$_GET['msg']: 0;

if (($msg_id >= 1) && ($msg_id <= $count))
{
    print "msg id $msg_id is valid";

}
else
{
    print 'not valid';
}

?>
[/code]

You can use [url=http://php.net/preg_match]preg_match()[/url] or [url=http://www.php.net/manual/en/function.ctype-digit.php]ctype_digit()[/url] if you'd like to make sure that only digits were in the "msg" number sent originally.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.