Re: [PHP-DB] how is this line a security risk?
Only is register_globals is on can that reset a variable. You are
correct though, defining directory paths is safer.
Thank you,
Micah Gersten
onShore Networks
Internal Developer
http://www.onshore.com
Joseph Crawford wrote:
> read up on register_globals. It is a security risk because if i do
> http://domain.com/file.php?plugins_directory=/directory/
>
> it can reset your variable.
>
> the best way to do that is to make PLUGINS_DIR a constant
>
> define('PLUGINS_DIR', '/directory/');
>
> Joseph Crawford
>
> On Sep 23, 2008, at 12:58 PM, michael wrote:
>
>> I get an error stating that this line in my code is a security risk
>> when I code it.
>>
>> require_once($PLUGINS_DIRECTORY."forum/forum.php");
>>
>> here is what the explanation is:
>>
>> include() or analogous is used with variable argument this can be
>> dangerous since variables are in many cases controlled by remote users.
>>
>> the recommended soloution is to write it this way
>>
>> define('SCRIPT_PATH',"/htdocs");
>> include ('sSCRIPT_PATH."/Foo.inc");
>>
>> my question is why is the other way safer? im kinda confused..
>>
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] how is this line a security risk?
read up on register_globals. It is a security risk because if i do
http://domain.com/file.php?plugins_directory=/directory/
it can reset your variable.
the best way to do that is to make PLUGINS_DIR a constant
define('PLUGINS_DIR', '/directory/');
Joseph Crawford
On Sep 23, 2008, at 12:58 PM, michael wrote:
I get an error stating that this line in my code is a security risk
when I code it.
require_once($PLUGINS_DIRECTORY."forum/forum.php");
here is what the explanation is:
include() or analogous is used with variable argument this can be
dangerous since variables are in many cases controlled by remote
users.
the recommended soloution is to write it this way
define('SCRIPT_PATH',"/htdocs");
include ('sSCRIPT_PATH."/Foo.inc");
my question is why is the other way safer? im kinda confused..
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] how is this line a security risk?
I get an error stating that this line in my code is a security risk when I
code it.
require_once($PLUGINS_DIRECTORY."forum/forum.php");
here is what the explanation is:
include() or analogous is used with variable argument this can be dangerous
since variables are in many cases controlled by remote users.
the recommended soloution is to write it this way
define('SCRIPT_PATH',"/htdocs");
include ('sSCRIPT_PATH."/Foo.inc");
my question is why is the other way safer? im kinda confused..
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
