[nycphp-talk] Bullet proofing "rmdir" command
jsiegel1 at optonline.net
Tue Aug 12 12:00:48 EDT 2003
The subdirectory only gets deleted when a user clicks on the "Delete"
link. The code handles the rest. At no time does the user know the name
of the image subdirectory. All they know is that they are deleting a
record. And as an added safety precaution, though I'm using $_GET to
pass values around (like record ID numbers), the url says something like
7fQ== with the latter being base 64 encoded and serialized.
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Analysis & Solutions
Sent: Tuesday, August 12, 2003 10:39 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Bullet proofing "rmdir" command
On Tue, Aug 12, 2003 at 11:30:17AM -0400, Jeff wrote:
> At no time does the user touch the subdir name (that is...it is not
So, when you're allowing users to delete directories, what is the input
they're providing? The name of a subdirectory of under the hash named
dir, which is itself a subdirectory of your graphics directory? If so,
great. Then, as mentioned before, all you need to do is check the user
input contains only letters and numbers.
... snip ...
FREE scripts that make web and database programming easier
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
4015 7th Ave #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409
talk mailing list
talk at lists.nyphp.org
More information about the talk