Is their some other reasonably safe way to call to the script outside
the web folder ?
Or, is there some other secure method to get the server name?
As an alternative:
I tried using a relative path: FROM the php script location TO the
fono.inc script location outside the web folder
$mypath = realpath ("../../../../../includes/fono.inc");
require_once($mypath);
although using this path worked within my ftp program...it did not
work in the php script :(
I get the error:
Fatal error: main(): Failed opening required ''
(include_path='.:/usr/local/lib/php') in
/home/www/siren/siren/fonovisa/Library/php/genericTestv4.php on line 6
many thanks, Chris :)
g
On Aug 25, 2005, at 6:44 PM, Chris Shiflett wrote:
Graham Anderson wrote:
Is the below reasonable safe ?
I have all of my main functions outside the web folder
I am including this function with every php script that
accesses fonovisa.inc
function getBrain()
{
$temp = explode('.', $_SERVER['SERVER_NAME']);
Because $_SERVER['SERVER_NAME'] can be manipulated by the user in some
cases, you must consider $temp tainted at this point.
$size = count($temp);
$server = $temp[$size -2];
Now $server is tainted.
$brainPath = "/home/".$server."/includes/fonovisa.inc";
Therefore, this is a security vulnerability.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
