[PHP-DOC] cvs: phpdoc /en/chapters security.xml

Mon, 15 Jan 2001 00:25:08 -0800 

dams            Mon Jan 15 00:36:45 2001 EDT

  Modified files:              
    /phpdoc/en/chapters security.xml 
  Log:
  show_source() -> <function>show_source</function>
  
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.16 phpdoc/en/chapters/security.xml:1.17
--- phpdoc/en/chapters/security.xml:1.16        Sat Jan 13 00:36:39 2001
+++ phpdoc/en/chapters/security.xml     Mon Jan 15 00:36:44 2001
@@ -342,7 +342,7 @@
 $file_to_delete = "$userfile";
 unlink ($homedir/$userfile);
 echo "$file_to_delete has been deleted!";
-?>
+?&gt;
      </programlisting>
     </example>
    Since the username is postable from a user form, they can submit
@@ -361,7 +361,7 @@
 $file_to_delete = "passwd";
 unlink ("/home/../etc/passwd");
 echo "/home/../etc/passwd has been deleted!";
-?>
+?&gt;
      </programlisting>
     </example>   
     There are two important measures you should take to prevent these
@@ -398,7 +398,7 @@
 fclose($fp);
 
 echo "$file_to_delete has been deleted!";
-?>
+?&gt;
      </programlisting>
     </example>
     Alternately, you may prefer to write a more customized check:
@@ -413,7 +413,7 @@
     die('bad filename'); //die, do not process
     
 //etc...
-?>
+?&gt;
      </programlisting>
     </example> 
     Depending on your operating system, there are a wide variety of files
@@ -439,10 +439,11 @@
     as the function or file that failed, the PHP file it failed in,
     and the line number which the failure occured in. This is all
     information that can be exploited.  It is not uncommon for a php
-    developer to use show_source(), highlight_string(), or
-    highlight_file() as a debugging measure, but in a live site, this
-    can expose hidden variables, unchecked syntax, and other dangerous
-    information.
+    developer to use <function>show_source</function>, 
+    <function>highlight_string</function>, or 
+    <function>highlight_file</function> as a debugging measure, but in 
+    a live site, this can expose hidden variables, unchecked syntax, 
+    and other dangerous information.
    </simpara>
    <simpara>
     For example, the very style of a generic error indicates a system
@@ -502,7 +503,7 @@
 system ($evil_var);
 exec ($evil_var);
 
-?>
+?&gt;
      </programlisting>
     </example>
     You should always carefully examine your code to make sure that any

Reply via email to