[thelist] style switcher in php?
David U.
davidu at everydns.net
Sat Oct 26 09:20:01 CDT 2002
Lachlan Cannon wrote:
> Geoff Sheridan wrote:
>> [1]The insecure way:
>> <link href="<?=$user_value?>" type="text/css">
>> where you expect $user_value to be "fluffy.css" but may be
>> "../../../passwd.ht"
>
> I don't see how this is any different, apart from requiring one more
> level of .. than the other, and as long as the ? works like I'd think
> it would,
The ? is part of the PHP closing tag.
Second of all, PHP has functions to deal with this sort of thing.
Look for:
php.net/basename
php.net/dirname
php.net/realpath
-davidu
> but then I realised it'd be a pointless hack anyway, since
> the user's browser would try querying the webserver for the file, and
> the web server would deny it.
Maybe, maybe not.
> Now if the $user_value was being
> included, that'd be different.
I think you're either a bit confused or unclear because you've completely
confused me in that statement. :-)
-davidu
> --
> Lach
> __________________________________________
> Web: http://illuminosity.net/
> E-mail: lach @ illuminosity.net
> MSN: luminosity @ members.evolt.org
> __________________________________________
More information about the thelist
mailing list