> -Original Message-
> From: Fejes Jozsef [mailto:[EMAIL PROTECTED]
> Sent: 10 July 2003 12:33
>
> My method is:
> 1. check if id starts with /
> if(ereg("^\/", $id))
> goaway;
That's a rather expensive (and slightly obscure) way of performing that check. Try:
if ($id{0}=='/')
go
Hi,
> if the make script
> and then just write
> test.php?id=/etc/passwd , they see all the file.
Well, FreeBSD provides a way to jail webservers: Jails 8-)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/jail.html
with best regards
--
Andreas Mendyk [EMAIL PROTE
>> So how to make sure that no one can access other people files and
>> server files? and is there any way that nobody would be able to
>> download php files or how to make them look like code when they are
>> downloaded. Thanks!
I think he means "How do I keep people who have access to upload
At 13:45 10-7-03, Marek wrote:
Add a check for php files, or any other files you don't want anybody to
include:
if(ereg('php[0-9]$', $id))
goaway;
but what about '?' and '#' additions?
$id="however_they_would_find_out/your_path/file.php?extra=x#loc";
?
so maybe
if(ereg('\.php', $id)) ?
-
Add a check for php files, or any other files you don't want anybody to
include:
if(ereg('php[0-9]$', $id))
goaway;
Fejes Jozsef wrote:
My method is:
1. check if id starts with /
if(ereg("^\/", $id))
goaway;
2. check if there is .. in it
if(ereg("\.\.", $id))
goaway;
--
PHP General Ma
My method is:
1. check if id starts with /
if(ereg("^\/", $id))
goaway;
2. check if there is .. in it
if(ereg("\.\.", $id))
goaway;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Thursday 10 July 2003 17:26, Mantas Kriauciunas wrote:
> my server is running freebsd 5.0
>
> and yet i havent fixed bug that i knew long time ago, so can anyone
> point me with some links or resources about it, i could not find any
> good on google, maybe i don't know how to search.
First
Exactly like I said, just check this:
$id='/etc/passwd';
if($id && eregi('^[a-z0-9_]+\.html',$id)) include($id);
else die('Go away!');
The regular expression prevents anyone from accessing any file that is
not in your web root (http://your.server.net/) or its name does contain
any other character
Mantas Kriauciunas wrote:
The problem is
if the make script
and then just write
test.php?id=/etc/passwd , they see all the file.
Check if $id is valid. Exact way depends on the structure of the files.
Example 1: All included files are in web root and are named
something.html, something can c
9 matches
Mail list logo
