Jump to content


Photo

PHP security question.


  • Please log in to reply
4 replies to this topic

#1 yungbloodreborn

yungbloodreborn
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts
  • LocationCalifornia

Posted 07 September 2006 - 02:30 PM

I know it's insecure to read a file based on a user input. But what about something like this?
Is this secure enough to trust?  I think my server is also using open_base.
include 'dir/'.$_get['msg'].'.php';


#2 ober

ober
  • Staff Alumni
  • Advanced Member
  • 5,337 posts
  • LocationEast Coast, USA

Posted 07 September 2006 - 02:32 PM

You're just asking for trouble by including user-submitted content like that.  No matter how you do it.

Info: PHP Manual


#3 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 07 September 2006 - 02:58 PM

I know it's insecure to read a file based on a user input. But what about something like this?
Is this secure enough to trust?  I think my server is also using open_base.

include 'dir/'.$_get['msg'].'.php';

It's not secure. As ober said, you shouldn't be using raw user input in an include.

You can use a method similar to the one posted here.
http://www.phpfreaks....html#msg382014



#4 yungbloodreborn

yungbloodreborn
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts
  • LocationCalifornia

Posted 07 September 2006 - 07:58 PM

To give a better idea what I'm trying to do, I'm creating a message board. The files in the dir I'm reading from are numbered 1 through $count.  i.e. 1.php, 2.php, 3.php, etc...each one is a message. Is there an easy way to make sure that $_GET['msg'] is a number between 1 and $count so I can be sure they aren't passing anything they shouldn't?

#5 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 07 September 2006 - 09:01 PM

The following makes the value in $msg_id assigned from $_GET[msg'] an int regardless of what was input. type casting
<?php
$count = 10;

$msg_id = isset($_GET['msg'])? (int)$_GET['msg']: 0;

if (($msg_id >= 1) && ($msg_id <= $count))
{
    print "msg id $msg_id is valid";

}
else
{
    print 'not valid';
}

?>

You can use preg_match() or ctype_digit() if you'd like to make sure that only digits were in the "msg" number sent originally.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users