... with flags unfurled...

Mon, 07 Mar 2005

I've created (after some strange experiences with users in my hosting) small php patch (for version 4.3.10), which disables remote includes.This patch doesn't work with Zend Optimizer enabled unfortunately :(

Download the patch there. After applying, see php.ini-dist and readme.security

example of bad code:

<?php $page = $_GET['page']; include ($page); ?>

example of better code:

<?php // filter all unneeded characters $page = eregi_replace("[^a-z0-9_]","", $_GET['page']).".inc.php"; // test if $page exists and is file if (strlen($page) && @file_exists($page) && @is_file($page)) { require_once ($page); } ?>

Links:

http://php.net/include/

(posted at 09:41 | filed under programming/phpiing | link) (comments | add new)

<	March 2005					>
Su	Mo	Tu	We	Th	Fr	Sa
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31