Menu
$num = $_GET['fileid']; // get file id
$realfile = "filename".$num.'.txt';
My question is that is it still possible to null poison this? .'.txt' at the end does not disappear with null byte injection according to my experimentation. Is there a way to null byte this?
408
I believe your code might be susceptible to directory traversal attacks - if someone provided "/../../foo" as a fileid, then the path would be "filename/../../foo.txt", which could be a valid target. See: http://en.wikipedia.org/wiki/Directory_traversal
I'm with @jeroen and @shiplu.mokadd.im who suggests sanitizing your input - assuming fileid is a number then the intval() function will do you fine:
$num = $_GET['fileid'];
$num = intval( $num );
if( $num == 0 ) {
echo "Invalid file ID: Not a number.";
exit;
} else {
$fileName = 'filename' . $num . '.txt';
if( !file_exists( $fileName ) ) {
echo "Invalid file ID: Doesn't exist.";
} else {
// do something
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
