chsnyder at gmail.com
Wed Oct 25 13:59:10 EDT 2006
On 10/25/06, Néstor <rotsen at gmail.com> wrote:
> I can tell you that this is not user input but I was printing
> variable to try to debug the problem.
HTTP_REFERER is considered user input, becuase it is built from HTTP
headers. Just make sure you implicitly trust anybody who is able to
execute the script. One could send a referrer that looks like
"file:///etc/passwd" or something.
There's no reason that $lines = file( $from ) wouldn't work, provided
$from is actually set. So either this is a PHP bug, which is
_extremely_ unlikely, or you have a typo somewhere in your code. Are
you sure you didn't set $form? Are you sure that the referrer is being
sent? Are you checking for an error raised by the file() call?
More information about the talk