Re: Comparing strings... need advice. :)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2006-08-28 at 16:28 -0700, Micky Hulse wrote:
> Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.)
> 
> I really appreciate all of the top-notch advice and expert information. :D
> 
> Looks like I have a lot to think about...
> 
> Currently, I hard-code the paths to the folders that house the files I 
> want my CMS to edit (via a config file.) The script then iterates 
> through the directory and adds all files of a specific type to a 
> dropdown menu. The user can then choose one of the files to edit and 
> load that file into a textarea... After changes are made, the 
> content/code gets saved back to the same file/location.
> 
> I do have an uploads folder, but it is in a different location on the 
> server. I do not allow the user to create new files (I would have to do 
> that manually)... it is a /very/ basic CMS.
> 
> Anyway, looks like I have some great info to work with. Thanks again 
> everyone for sharing your expertise.

How are these saved files then imported into the content? Are they
included or do you retrieve the contents using something like file(),
file_get_contents(), or fread() and then echo it? If you are using
include or require on a file whose contents are based on web input
content then you are opening up a can of security worms since anyone
with access tot he CMS could embed PHP code in the content and do
anything for which the webserver has permissions.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux