On Mon, 2006-08-28 at 17:07 -0700, Micky Hulse wrote: > Hi Robert, > > Robert Cummings wrote: > > How are these saved files then imported into the content? Are they > > included or do you retrieve the contents using something like file(), > > file_get_contents(), or fread() and then echo it? If you are using > > Currently I am using readfile() (plus some other security checking) to > display the contents of the edited files. I setup my script to only > allow specific file types (txt, html, htm). > > > include or require on a file whose contents are based on web input > > content then you are opening up a can of security worms since anyone > > with access tot he CMS could embed PHP code in the content and do > > anything for which the webserver has permissions. > > Thanks for pointing that out. Now that you mention it, I should probably > re-work my code to use a different method of page inclusion. I am pretty > concerned about security breaches... what are your thoughts on > readfile()? Would you suggest I use file(), file_get_contents(), or > fread() instead? Readfile works great, it's the same as file_get_contents() and then issuing an echo. You may want to also stored content generated by web users outside of the web tree. There may not be any issue with how you have things now, but imagine down the road someone using your system enables PHP processing on .html files and then someone created content with PHP tags and accesses it directly from their browser... boom, same security hole. > Thanks for the help Robert, I really appreciate your time. :) No problem :) Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
