I want to give my users the ability to submit a URL to a database, then when
they pull up their page, their photo is included .. what I'm worried about
is them pointing the link to some malicious code or something..
Obviously I can validate the file extension (.gif or .jpg) .. and I'm going
to
I guess you use some webserver, let's take apache.
Apache's mime.conf has set several extensions,
also php extensions. So only .php, .php3, .php4
files will be parsed by php.
Chad Day wrote:
I want to give my users the ability to submit a URL to a database, then when
they pull up their page,
--- Chad Day [EMAIL PROTECTED] wrote:
I want to give my users the ability to submit a URL
to a database, then when they pull up their page,
their photo is included .. what I'm worried about
is them pointing the link to some malicious code or
something..
Your instincts serve you well.
There
Chris Shiflett wrote:
--- Chad Day [EMAIL PROTECTED] wrote:
I want to give my users the ability to submit a URL
to a database, then when they pull up their page,
their photo is included .. what I'm worried about
is them pointing the link to some malicious code or
something..
Your instincts
On Wednesday 22 January 2003 01:40, Sean Burlington wrote:
is there really any site which will accept a book order based an a sigle
GET ?
Amazon makes a big deal of their one-click shopping feature. It's so good
they've even patented it.
--
Jason Wong - Gremlins Associates -
Gibbs, Liam - SXIA wrote:
I agree that there are risks - but I do think this can be done safely
Couldn't you just check the submitted URL and find out if it's a gif or
jpeg? I don't think even PHP-enabled servers will run a gif or jpeg.
please send replies to the list ...
and you cant
--- Sean Burlington [EMAIL PROTECTED] wrote:
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by
an img tag - but finds an unsuitable type of data -
I would expect it simply to ignore it...
I sent a response about this earlier, but you
--- Sean Burlington [EMAIL PROTECTED] wrote:
is there really any site which will accept a book
order based an a sigle GET?
Well, yes, but that is not the point really. The example of
the img tag is just one way you can forge an HTTP request
from another user (the victim).
Also consider that
Chris Shiflett wrote:
--- Sean Burlington [EMAIL PROTECTED] wrote:
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by
an img tag - but finds an unsuitable type of data -
I would expect it simply to ignore it...
I sent a response about
9 matches
Mail list logo
