> <?
> include $HTTP_POST_VARS['file'];
> ...
> ?>
>
> really isn't any safer. People won't be able to put file=/etc/passwd
> right in the URL, but they can still trivially fake up a form post and
> inject whatever value for 'file' into the POST data.
>
> It all boils down to verifying any and all user-supplied data.
>
> -Rasmus
totally :)
I toyed with turning off register globals in binarycloud, only to a) have
that pointed out to me, and b) realize that it would be a total hassle.
we're extremely paranoid about user input, and you have to get used to
making your code only accept _exactly_ what it is expecting with regards to
user input.
I've seen:
file.php?message=hello&[EMAIL PROTECTED]
can you say spam-engine ?
:)
_alex
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
