|
|||||||||
|
|||||||||
|
|||||||||
| |
|||
 |
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
| |
|||
|
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Display Modes |
Dev Articles Community Forums Sponsor:
|
|
|
|
#5
October 1st, 2003, 08:18 AM
|
||||
|
||||
|
Try concatenating your variable instead of posting it inline.:
PHP Code:
Also, the single quotes are probably causing a problem, as they cause $photos to be read as a string literal. In the error messages you last posted, there appear to be spaces in the path as well. Try changing your single quotes to double quotes, and consider also using the dot operator to concatenate the variable between string values (that may just be my personal coding style and probably doesn't really gain you anything besides readability). Consider also validating $photos to make sure I can't pass something to your query string like: Code:
&photos=../../../../../etc/passwd and get access to sensitive files.
|
|
#6
October 6th, 2003, 10:04 PM
|
|||
|
|||
|
yeah double quotes would fix it
PHP Code:
or use what dhouston gave (but stick to single quotes if you concatenate). BY ALL MEANS validate that query string value before you use it to include any files. That is a huge security issue! Preferably you should compare it to an array of acceptable values, and either use a default or kill the script if the value is not what you expected.
|
|
#8
October 7th, 2003, 01:25 PM
|
|||
|
|||
|
One thing
Make sure you have given that folder write permissions.
|
|
#10
October 7th, 2003, 04:20 PM
|
|||
|
|||
|
oops good point did not read it all the way
I get that kind of error when i am trying to write something to a directory that does not allow that. Sorry, ya if you are only reading then it does not matter.
|
|
#11
October 7th, 2003, 09:51 PM
|
|||
|
|||
|
PHP Code:
Please do not use that line of code in any script. That is text book non-secure PHP code. Never accept any unchecked user input.... especially to include a file on your network. Some reading material... http://us4.php.net/manual/en/security.variables.php http://us4.php.net/manual/en/security.filesystem.php
|
|
#13
October 7th, 2003, 10:34 PM
|
|||
|
|||
|
Sorry there was no offense meant...
If you read above to my first post you'll see that I made a point that the inputted value should be validated. ie. whatever value is held by $photos That line of code you posted appears to plug the GET value in unvalidated. That's my objection. Of course there are multiple ways to assembe strings... maybe you were assuming that the value was already validated and just offering an alternative way to write the code. Going by what I suggested... yes putting the GET value into $photos and validating it against an array of acceptable choices is MUCH more secure than stuffing the raw GET value into an include statement. But maybe you were assuming that the GET value was already deemed safe before that line of code... my apologies if so . I Wasn't trying to make a problem.
|
|
| Viewing: Dev Articles Community Forums > Programming > General Programming Help > Get Vars being a pain, simple question. |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
