[nycphp-talk] user input (was Re: FILE() )
Marc Antony Vose
suzerain at suzerain.com
Wed Oct 25 14:34:28 EDT 2006
Hey Chris:
Just wondering about this...what kind of filter would you recommend
passing over the HTTP_REFERER in order to verify it's (reasonably)
kosher?
Cheers,
Marc
http://www.suzerain.com
Le 25 oct. 06 à 13:59, csnyder a écrit :
> On 10/25/06, Néstor <rotsen at gmail.com> wrote:
>
>> I can tell you that this is not user input but I was printing
>> variable to try to debug the problem.
>
> HTTP_REFERER is considered user input, becuase it is built from HTTP
> headers. Just make sure you implicitly trust anybody who is able to
> execute the script. One could send a referrer that looks like
> "file:///etc/passwd" or something.
>
> There's no reason that $lines = file( $from ) wouldn't work, provided
> $from is actually set. So either this is a PHP bug, which is
> _extremely_ unlikely, or you have a typo somewhere in your code. Are
> you sure you didn't set $form? Are you sure that the referrer is being
> sent? Are you checking for an error raised by the file() call?
>
> --
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
More information about the talk
mailing list