[nycphp-talk] Retrieving remote files-- caution
Chris Snyder
csnyder at chxo.com
Sun Sep 7 00:13:38 EDT 2003
Learned a lesson tonight...
If you're going to use file_get_contents() (or any function with fopen
wrappers) to allow users to import a file from some other website,
always check to make sure that the supplied url starts with "http://"
and not, say, "/etc".
function url_get_contents ( $url ) {
$array= parse_url($url);
if ( $array['scheme']=='http' || $array['scheme']=='ftp' ) {
return file_get_contents($url);
}else {
return 0;
}
}
I used to always use fsockopen for this, but file_get_contents seemed so
easy by comparison -- except for the part where it was really built to
handle local files. Doh!
More information about the talk
mailing list