NYCPHP Meetup

[nycphp-talk] Bullet proofing "rmdir" command

Jeff jsiegel1 at optonline.net
Tue Aug 12 12:00:48 EDT 2003


Dan,

The subdirectory only gets deleted when a user clicks on the "Delete"
link. The code handles the rest. At no time does the user know the name
of the image subdirectory. All they know is that they are deleting a
record. And as an added safety precaution, though I'm using $_GET to
pass values around (like record ID numbers), the url says something like
"http://mydomain.com/mypage.php?code=YToxOntzOjU6IkRMX0lEIjtzOjM6IjEzNCI
7fQ== with the latter being base 64 encoded and serialized. 

Jeff



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Analysis & Solutions
Sent: Tuesday, August 12, 2003 10:39 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Bullet proofing "rmdir" command


Hey Jeff:

On Tue, Aug 12, 2003 at 11:30:17AM -0400, Jeff wrote:

> At no time does the user touch the subdir name (that is...it is not
> editable).

Good.

So, when you're allowing users to delete directories, what is the input
they're providing?  The name of a subdirectory of under the hash named
dir, which is itself a subdirectory of your graphics directory?  If so, 
great.  Then, as mentioned before, all you need to do is check the user 
input contains only letters and numbers.

Enjoy,

--Dan

... snip ...

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk




More information about the talk mailing list