Re: fopen/fpassthur

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sebastian wrote:
> Q> I hope you have some good data validation going on too :)
>
> I am not too sure about how secure it is. basically, the files are called
> by
> an ID
> eg, download?type=file&id=3
>
> so i query the db to get check if its a valid id and get the filename from
> the db as well.
> if its not found it errors out.. i was under the impression that is more
> secure to get files by an id from db than doing something like
> download?file=filename.zip
>
> i am worried about security as i am not even sure if this method would
> allow
> people to download any file from the server.
> maybe if you have time you can look at the script for me and find any
> flaws
> ;)

If you mean any of the potential downloads, you've got big problems. :-)

What's to stop somebody from trying &id=4 and &id=5 and so on and getting
*ALL* the files?

If you mean they could download *any* file, even the ones you're not
trying to let somebody download, it would be more efficient to see the
script itself to point out flaws, rather than just surfing to the site and
trying to break it.  Though that can be instructive too, especially if you
have acquired the same sort of tools your average script kiddie uses to
try to break in and steal stuff.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux