Re: prevent user from getting scripts outside the web folder [this better?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ben wrote:

> Graham Anderson said the following on 10/13/05 15:31:
>> Is this a bit better ?
>> As directed, I 'sanitized' all user input variables with trim and
>> mysql_real_escape_string.
>> 
>> thanks for everyone's patience as I am starting at ground zero
>> concerning security.
>> 
>> 
>> if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
>> {
>>     // decrypt and santize variables
>>     $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST
>> ['cmd'])) : $cmd="null";
>>     $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST
>> ['path'])) : $path="null";
>> .
>> .
>> .
>> 
>> the cleanser script:
>> function cleanser( $value )
>> {
>>     return mysql_real_escape_string( trim( $value ) ) ;
>> }
>> 
>> the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored
>> outside the web folder.
>> 
>> many thanks :)
> 
> My understanding is that mysql_real_escape_string will only work while
> you are connected to mysql.  Not sure if that is the case in your
> situation.

That is incorrect. mysql_real_escape_string is a php function, not mysql.




Cheers
-- 
David Robley

Computer programmers do it byte by byte.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux