[nycphp-talk] user input (was Re: FILE() )
Marc Antony Vose
suzerain at suzerain.com
Wed Oct 25 14:34:28 EDT 2006
Just wondering about this...what kind of filter would you recommend
passing over the HTTP_REFERER in order to verify it's (reasonably)
Le 25 oct. 06 à 13:59, csnyder a écrit :
> On 10/25/06, Néstor <rotsen at gmail.com> wrote:
>> I can tell you that this is not user input but I was printing
>> variable to try to debug the problem.
> HTTP_REFERER is considered user input, becuase it is built from HTTP
> headers. Just make sure you implicitly trust anybody who is able to
> execute the script. One could send a referrer that looks like
> "file:///etc/passwd" or something.
> There's no reason that $lines = file( $from ) wouldn't work, provided
> $from is actually set. So either this is a PHP bug, which is
> _extremely_ unlikely, or you have a typo somewhere in your code. Are
> you sure you didn't set $form? Are you sure that the referrer is being
> sent? Are you checking for an error raised by the file() call?
> Chris Snyder
> New York PHP Community Talk Mailing List
> NYPHPCon 2006 Presentations Online
> Show Your Participation in New York PHP
More information about the talk