A hacker could modify the URL Mypage.php?file=book.pdf
Becomes Mypage.php?file=../htdocs/.htaccess > -----Original Message----- > From: Aaron Todd [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 11, 2004 11:58 AM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] download script > > Why would this be a security hole if I do not filter the file name before > I > use it? > > Thanks, > > Aaron > > > "Ed Lazor" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > The other guys addressed how to get the script working, but I thought I > > might also mention that you're presenting a potential security hole in > your > > app by not filtering the file name before using it. You'll also want to > use > > the realpath command on the full file name and path. > > > > > -----Original Message----- > > > $file = "/home/dlr/test/".$_GET['file'].""; > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
