> -Original Message-
> From: Fejes Jozsef [mailto:[EMAIL PROTECTED]
> Sent: 10 July 2003 12:33
>
> My method is:
> 1. check if id starts with /
> if(ereg("^\/", $id))
> goaway;
That's a rather expensive (and slightly obscure) way of performing that check. Try:
if ($id{0}=='/')
go
Hello Wendell,
Thursday, July 10, 2003, 6:59:25 AM, you wrote:
>>> So how to make sure that no one can access other people files and
>>> server files? and is there any way that nobody would be able to
>>> download php files or how to make them look like code when they are
>>> downloaded. Than
Hi,
> if the make script
> and then just write
> test.php?id=/etc/passwd , they see all the file.
Well, FreeBSD provides a way to jail webservers: Jails 8-)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/jail.html
with best regards
--
Andreas Mendyk [EMAIL PROTE
>> So how to make sure that no one can access other people files and
>> server files? and is there any way that nobody would be able to
>> download php files or how to make them look like code when they are
>> downloaded. Thanks!
I think he means "How do I keep people who have access to upload
At 13:45 10-7-03, Marek wrote:
Add a check for php files, or any other files you don't want anybody to
include:
if(ereg('php[0-9]$', $id))
goaway;
but what about '?' and '#' additions?
$id="however_they_would_find_out/your_path/file.php?extra=x#loc";
?
so maybe
if(ereg('\.php', $id)) ?
-
Add a check for php files, or any other files you don't want anybody to
include:
if(ereg('php[0-9]$', $id))
goaway;
Fejes Jozsef wrote:
My method is:
1. check if id starts with /
if(ereg("^\/", $id))
goaway;
2. check if there is .. in it
if(ereg("\.\.", $id))
goaway;
--
PHP General Ma
My method is:
1. check if id starts with /
if(ereg("^\/", $id))
goaway;
2. check if there is .. in it
if(ereg("\.\.", $id))
goaway;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Thursday 10 July 2003 17:26, Mantas Kriauciunas wrote:
> my server is running freebsd 5.0
>
> and yet i havent fixed bug that i knew long time ago, so can anyone
> point me with some links or resources about it, i could not find any
> good on google, maybe i don't know how to search.
First
Exactly like I said, just check this:
$id='/etc/passwd';
if($id && eregi('^[a-z0-9_]+\.html',$id)) include($id);
else die('Go away!');
The regular expression prevents anyone from accessing any file that is
not in your web root (http://your.server.net/) or its name does contain
any other character
Hello Marek,
Thanks for the answer, but i think you misunderstood me because of my
bad english. What i mean is the people with that code can access and
view files on any place on my server and see the passwords stored in
some files, decode them, and do stuff like that. I wanted to know how
to prev
Mantas Kriauciunas wrote:
The problem is
if the make script
and then just write
test.php?id=/etc/passwd , they see all the file.
Check if $id is valid. Exact way depends on the structure of the files.
Example 1: All included files are in web root and are named
something.html, something can c
Hello php-general,
my server is running freebsd 5.0
and yet i havent fixed bug that i knew long time ago, so can anyone
point me with some links or resources about it, i could not find any
good on google, maybe i don't know how to search.
The problem is
if the make script
and then just w
12 matches
Mail list logo