[nycphp-talk] FILE()

csnyder chsnyder at
Wed Oct 25 13:59:10 EDT 2006

On 10/25/06, Néstor <rotsen at> wrote:

> I can tell you that this is not user input but I was printing
> variable to try to debug the problem.

HTTP_REFERER is considered user input, becuase it is built from HTTP
headers. Just make sure you implicitly trust anybody who is able to
execute the script. One could send a referrer that looks like
"file:///etc/passwd" or something.

There's no reason that $lines = file( $from ) wouldn't work, provided
$from is actually set. So either this is a PHP bug, which is
_extremely_ unlikely, or you have a typo somewhere in your code. Are
you sure you didn't set $form? Are you sure that the referrer is being
sent? Are you checking for an error raised by the file() call?

Chris Snyder

More information about the talk mailing list