Is there an easy way to do this when I'm so new at this that I don't quite
understand what I'm doing wrong and how to prevent all those mistakes in the
beginning?
/Marthe
-----Original Message-----
From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 03, 2001 7:54 AM
To: Marthe Kristiansen
Cc: Php-General
Subject: RE: [PHP] Safety with PHP.
So you wrote a script that took a filename as an argument somehow and did
something with it? That's always going to be insecure unless you do a lot
of error checking on it.
-Rasmus
On Tue, 3 Apr 2001, Marthe Kristiansen wrote:
> Well, since I'm a newbie and also Norwegian it ain't that easy to explain
> very simple.
> What he did was that he entered a file that showed all the users of the
> server, as I said, and he told me this was kindof insecure.
> To prevent it he showed me a code that would help a bit.
>
> $filename=str_replace("..","",$filename);
> $filename=str_replace("/","",$filename);
> $filename=str_replace("%20","",$filename);
>
> He used /, .. and %20 to reach this file on my server.
>
> /Marthe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
