[PHP] is_uploaded_file() security
Hi, I am wondering about the following paragraph at http://at2.php.net/manual/en/function.is-uploaded-file.php. Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. This sort of check is especially important if there is any chance that anything done with uploaded files could reveal their contents to the user, or even to other users on the same system. AFAIK the browser only sends the content of the chosen file and cannot specify in any way a local filename which should be worked on. Furthermore PHP creates a temporary file containing the uploaded file content and passes this filename as 'tmp_name' variable. How can then a malicious user try to trick the script? Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Marek Kilimajer wrote: By requesting upload_script.php?userfile=/etc/passwd and upload_sript.php uses global variables to handle uploads. This check should not be necessery if you are using $_FILES superglobal as php will not accept _FILES user input. But keep the check there in case a bug will be introduced. Alexander Mueller wrote: Thanks for the explanation Marek. When I fully entered PHP's arena the global variables werent really an issue anymore, therefore I am more familiar with the $_* arrays and wondered about this paragraph. So in the good old days one could access the uploaded file by the name of the input field?! Thanks, Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Cpt John W. Holmes wrote: The user can pass the name of a file on the server. If you're not doing any checks and moving or displaying the file the user sent you, you may end up moving, deleting, or displaying any file on your server. ---John Holmes... Thanks John, but only in the case global variables are active (as Marek mentioned), right? Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Page Reload with after POST request
I am doing most of my data transfers by POST requests and found it to be problematic when I want to browse the history with the browser's navigation buttons. Although it works without problems in Opera (I didnt try it with Netscape) it leads to a Warning: Page has Expired message in IE. I understand IE's reason to show the message but noticed browsing the history (under usage of the same POST transfer mechanism) works with other PHP scripts (eg: vBulletin) in IE without this message. Any idea which trick they use to avoid that? Thanks, Alexander -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Raditha Dissanayake wrote: This does not work with multipart/form-data you need www-urlencoded (or just don't set an enctype attribute in your form) What would happen in this case? The given filename would be passed to the script?! Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Page Reload with after POST request
Robert Sedlacek wrote:
I don't know such a script, but my preferred way would be to make a
'header(Location: $site);' statement right after processing the
POST-request and lead the user to the site where the changes can be seen.
This also avoids duplicate db-entries and stuff...
Robert
Marek Kilimajer wrote:
After handling the post request and taking the necessery actions (update
db...), redirect the browser using header('Location: ..');
I suppose the browser does not add the redirecting site to its history.
In this case a redirect is really a good idea :). Thanks for this hint
Robert and Marek.
Alexander
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is_uploaded_file() security
Raditha Dissanayake wrote: Hi, Multipart/form-data sends the entire file, if you don't use that enctype yes, just the file name is sent. best regards I see, but then $_FILES is probably not set. So it wouldnt be necessary to use is_uploaded_file() if one solely uses $_FILES (but should probably nevertheless for any possible bugs - as Marek mentioned). Did I miss anything? Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SESSIONMANAGEMENT -- gute php mailing list / gute leute
Christoph Lockingen wrote: Hallo ! Ich bin auf der Suche nach einer guten PHP Mailing-Liste, am besten in Deutsch...Falls ich hier falsch bin, bitte ich um Entschuldigung. Ist grundsätzlich eine internationale Mailinglist (daher Englisch) :). 1. Wieso kann ich nicht per $_GET['lid'] auf $_POST['lid']=lf_session_id(); zugreifen? (Danach ist ein Header(Location... drin - der überschreibt?) Per $_GET auf $_POST? Was genau willst Du erreichen? 2. Wie bekomme ich ein vernünftiges Sessionmanagement OHNE COOKIES hin? Eingesetzt wird PHP 4.2.2. Bei dieser PHP-Version funktioniert das nicht, wie beschrieben. Bug? (scheint so, schonmal nach gegoogled) session_start(); liefert immer neue werte... es wird keine session übernommen. PHP kann HTML Code automatisch so umschreiben, daß die SID enthalten ist. Bei PHP 4.2 muß man das beim Kompilieren aber manuell angeben mit --enable-trans-sid. Mehr Information dazu unter http://at2.php.net/manual/de/ref.session.php#session.idpassing Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session_regenerate_id()
I am not entirely sure what the following paragraph at http://at2.php.net/manual/en/function.session-regenerate-id.php shall mean As of PHP 4.3.3, if session cookies are enabled, use of session_regenerate_id() will also submit a new session cookie with the new session id. What did it in 4.3.2? Somehow it seems its not working prior to 4.3.3 and even now its not fully compatible with Opera. Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Query explanation
Robb Kerr wrote:
I am attempting to hack a tutorial from the Zend site. I have found the
tutorial/project to be excellent, but I don't completely understand what's
being done in the following Query statement.
//query database, assemble data for selectors
$Query = SELECT s.ID, s.Name, a.Code .
FROM areacode a, state s .
WHERE a.State = s.ID .
ORDER BY s.Name, a.Code;
if(!($DatabaseResult = mysql_query($Query, $DatabaseLink)))
{
print(The query failed!br\n);
exit();
}
Please explain what's going on in this SELECT statement. I'm assuming that
the s in s.ID, the s in s.Name and the a in a.Code are
variables referring to the table name. ID, Name and Code are field
names in two different tables. But, I can't find a place where these
variables are initiated in the preceding code.
I also don't understand what's going on in the FROM statement. Areacode
and state are table names. That I understand. What's with the a and s
following the table names? Is this where the variables are initiated?
Exactly. a and s are referring to the two tables and are assigned in
the FROM clause. You could write the query also without the
abbreviations.
SELECT state.ID, state.Name, areacode.Code FROM areacode, state
WHERE areacode.State = state.ID
ORDER BY state.Name, areacode.Code
Alexander
--
PINO - The free Chatsystem!
Available at http://www.pino.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Posting variable in url
Frank Tudor wrote: I have a redirect that if conditions are right it will pass the user to a new page via $_POST. I am posting variables in the url and on this next page more form stuff awaits the user. If a user submits incorrect stuff in the form is posts to itself. The url holds the same variables that were pass through the redirect. My concern is that if a variable got altered in the URL by misstake or on purpose it would post to the refreshed page and screw everything up. Anyone run into something like this? Frank Either validate the values on each page or create a session and store them there. Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session_regenerate_id()
Cpt John W. Holmes wrote: PHP 4.3.2 created a new session ID, but it didn't resend the cookie. So the next request would include the old session ID again from the cookie. I wonder what it is then good for. Changing the id internally without notifying the client does not make much sense IMHO. What are you trying to do? Changing the session id upon a login to prevent referal attacks. Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session_regenerate_id()
Curt Zirzow wrote: how is it not comatible with Opera? With 4.3.3 it works for IE and Mozilla, however Opera still has some problems with recognising the new id under certain circumstances. Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session_regenerate_id()
Cpt John W. Holmes wrote: If you're using sessions in the URL, then it works just fine. So, if PHP is less than 4.3.3, you need to use setcookie() to reset the value of the session id yourself. If you're using 4.3.3, then you don't have to worry about it. I see, but then I would rather call it a bug in 4.3.2 than an enhancement in 4.3.3. I would expect a function which creates a new session id to do all necessary steps to have client and server synchronised. Anyway, thanks John for the explanation. Alexander -- PINO - The free Chatsystem! Available at http://www.pino.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
