[thelist] style switcher in php?

Geoff Sheridan web2k2 at premonition.co.uk
Sat Oct 26 05:15:01 CDT 2002

>>If anyone notes any security flaws in my very simple script, I'd be
>>glad to hear them.
>What happens if the user submitted variable is

Because the file ending .css is tacked on, this threat is eliminated.
It's very insecure to allow an entire path to be specified by user
input[1], but here:
<link href="<?=$user_value?>.css" type="text/css">
...only allows access to files ending .css
Qualify the path further, say:
<link href="/styles/<?=$user_value?>.css" type="text/css">
and the would-be cracker can only access files in the folder /styles/
which end with .css

That's all that's needed to avoid that security flaw. I agree, if you
don't qualify the path then it is a serious security risk.

This is shorthand for printing a variable inside html. Longhand might be:
<?php echo($variable); ?>

[1]The insecure way:
<link href="<?=$user_value?>" type="text/css">
where you expect $user_value to be "fluffy.css" but may be "../../../passwd.ht"

More information about the thelist mailing list