[thelist] PHP template code security sufficient?

P Chen info at designbychen.com
Wed May 16 15:23:59 CDT 2007

Ok, I can see the problem now. 

Would someone be able to refer me to an adequate PHP site template?

I've found this tutorial, but not sure if it's sufficient?


-----Original Message-----
From: Paul Bennett [mailto:Paul.Bennett at wcc.govt.nz] 
Sent: Tuesday, May 15, 2007 3:04 PM
To: info at designbychen.com; thelist at lists.evolt.org
Subject: RE: [thelist] PHP template code security sufficient?

consider this:


<div class="body">
<?php @ require_once ("$page.html"); ?>

template.php?page=test.html");phpinfo();echo ("redherring

Which could beciome somwething like:
<?php @ require_once ("test.html");phpinfo();echo ("redherring"); ?>
Require some file
Print out all the php and server info to the user Echo some useless data */

Depending upon how robust your security checks are (the article has no
mention of any), this has the potential for injecting outside content into
your rendered source code, which may have XSS vulnerabilities, or allowing
the user to control script execution (as in the last example).

Just my 2c,

More information about the thelist mailing list