On Mon, September 25, 2006 7:52 am, Miles Thompson wrote:
> $filenam = $_REQUEST["filenam"];
> if ($filenam){
> $contents = file_get_contents( "../above_root/" .
> $filenam );
> echo $contents;
> }else{
> echo "Not found";
> }
I certainly hope this is not ALL of the script...
Imagine, if you will, that somebody surfs to this URL:
http://example.com/above_script.php?filenam=../../../../../etc/passwd
By the rules of Linux, they've just downloaded your passwd file, which
has all your usernames in it.
That's a Bad Thing, as they then can look for an easy password in
those accounts.
Sanitize your data!
PS Not to mention that file_get_contents() will suck the ENTIRE 60Mb
file into RAM, which is exactly what the OP needs to avoid... :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
