On Tue, 5 May 2015 17:49:06 -0700, Jeffry Killen wrote:
> On May 5, 2015, at 3:17 PM, Christoph Becker wrote:
>> Jeffry Killen wrote:
<-snip->
>>> $_ret = $_alt->open(getcwd().'/'.$_GET['newArchAlt'],
>>> ZipArchive::CREATE);
>>
>> Never ever use an unvalidated and unsanitized GET parameter to
>> construct
>> a filename. That could be easily exploited (e.g. newArchAlt=../foo).
>
> Yes, I know, thanks. This is a localhost dev environment and the only
> user who
> has any access is me. In a production context I wouldn't use GET, I
> would
> use POST and sanitize for sure. This is also part of a CMS system that I
> am cooking up and it is intended to be restricted to registered admin
> users.
Until sometime in the future that piece of "working code" is cut out and
reused (pasted) in a different application.
Jonesy
--
Marvin L Jones | Marvin | W3DHJ | linux
38.238N 104.547W | @ jonz.net | Jonesy | OS/2
* Killfiling google & XXXXbanter.com: jonz.net/ng.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
