Jump to content

Recommended Posts

[quote author=yungbloodreborn link=topic=107232.msg429907#msg429907 date=1157639406]
I know it's insecure to read a file based on a user input. But what about something like this?
Is this secure enough to trust?  I think my server is also using open_base.
[code]include 'dir/'.$_get['msg'].'.php';[/code]
[/quote]
It's not secure. As ober said, you shouldn't be using raw user input in an include.

You can use a method similar to the one posted here.
http://www.phpfreaks.com/forums/index.php/topic,95407.msg382014.html#msg382014

Link to comment
https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87790
Share on other sites

To give a better idea what I'm trying to do, I'm creating a message board. The files in the dir I'm reading from are numbered 1 through $count.  i.e. 1.php, 2.php, 3.php, etc...each one is a message. Is there an easy way to make sure that $_GET['msg'] is a number between 1 and $count so I can be sure they aren't passing anything they shouldn't?
Link to comment
https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87951
Share on other sites

The following makes the value in $msg_id assigned from $_GET[msg'] an int regardless of what was input. [url=http://www.php.net/manual/en/language.types.type-juggling.php#language.types.typecasting]type casting[/url]
[code]
<?php
$count = 10;

$msg_id = isset($_GET['msg'])? (int)$_GET['msg']: 0;

if (($msg_id >= 1) && ($msg_id <= $count))
{
    print "msg id $msg_id is valid";

}
else
{
    print 'not valid';
}

?>
[/code]

You can use [url=http://php.net/preg_match]preg_match()[/url] or [url=http://www.php.net/manual/en/function.ctype-digit.php]ctype_digit()[/url] if you'd like to make sure that only digits were in the "msg" number sent originally.
Link to comment
https://forums.phpfreaks.com/topic/20014-php-security-question/#findComment-87992
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.