on Sun, 3 Sep 2006 14:03:23 +0200, Janwillem Borleffs wrote:
NoWhereMan wrote:
>would you please help me find any security flaw in this code (if any)?
thank you so much
http://paste.uni.cc/9829
I assume you have properly set your base dir restriction directive in your
php.ini file to handle cases where $_REQUEST['f'] would be defined as
'../someprivatedir/dbconnect.php'?
JW
actually I can't as I don't own the webserver (and as the script is
suppsoed to be distributed), and that's why I've put these lines:
if (strpos($name, '..')!==false || strpos($name,'/')!==false)
die('Invalid file name!');
--
NoWhereMan
-- NoWhereBlog:
www.nowhereland.it
-- deviantArt:
http://nowhereland.deviantart.com
-- Giochi a BiteFight?
http://bitefight.nowhereland.it/
-- Vagisil migliora la tua vita intima:
www.vagisil.com/teencenter.shtml