[thelist] style switcher in php?

David U. davidu at everydns.net
Sat Oct 26 09:20:01 CDT 2002

Lachlan Cannon wrote:
> Geoff Sheridan wrote:
>> [1]The insecure way:
>> <link href="<?=$user_value?>" type="text/css">
>> where you expect $user_value to be "fluffy.css" but may be
>> "../../../passwd.ht"
> I don't see how this is any different, apart from requiring one more
> level of .. than the other, and as long as the ? works like I'd think
> it would,

The ? is part of the PHP closing tag.

Second of all, PHP has functions to deal with this sort of thing.

Look for:


> but then I realised it'd be a pointless hack anyway, since
> the user's browser would try querying the webserver for the file, and
> the web server would deny it.

Maybe, maybe not.

> Now if the $user_value was being
> included, that'd be different.

I think you're either a bit confused or unclear because you've completely
confused me in that statement. :-)


> --
> Lach
> __________________________________________
> Web: http://illuminosity.net/
> E-mail: lach @ illuminosity.net
> MSN: luminosity @ members.evolt.org
> __________________________________________

More information about the thelist mailing list