[thelist] style switcher in php?

Geoff Sheridan web2k2 at premonition.co.uk
Sat Oct 26 05:15:01 CDT 2002


>>
>>If anyone notes any security flaws in my very simple script, I'd be
>>glad to hear them.
>
>What happens if the user submitted variable is
>"../../../passwordfile.whatever?"

Because the file ending .css is tacked on, this threat is eliminated.
It's very insecure to allow an entire path to be specified by user
input[1], but here:
<link href="<?=$user_value?>.css" type="text/css">
...only allows access to files ending .css
Qualify the path further, say:
<link href="/styles/<?=$user_value?>.css" type="text/css">
and the would-be cracker can only access files in the folder /styles/
which end with .css

That's all that's needed to avoid that security flaw. I agree, if you
don't qualify the path then it is a serious security risk.

FYI :
<?=$variable?>
This is shorthand for printing a variable inside html. Longhand might be:
<?php echo($variable); ?>

[1]The insecure way:
<link href="<?=$user_value?>" type="text/css">
where you expect $user_value to be "fluffy.css" but may be "../../../passwd.ht"



More information about the thelist mailing list