[thelist] style switcher in php?

Lachlan Cannon luminosity at members.evolt.org
Sat Oct 26 09:07:01 CDT 2002

Geoff Sheridan wrote:
> [1]The insecure way:
> <link href="<?=$user_value?>" type="text/css">
> where you expect $user_value to be "fluffy.css" but may be
> "../../../passwd.ht"

I don't see how this is any different, apart from requiring one more
level of .. than the other, and as long as the ? works like I'd think it
would, but then I realised it'd be a pointless hack anyway, since the
user's browser would try querying the webserver for the file, and the
web server would deny it. Now if the $user_value was being included,
that'd be different.
Web: http://illuminosity.net/
E-mail: lach @ illuminosity.net
MSN: luminosity @ members.evolt.org

More information about the thelist mailing list