Menu
Greetings, I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server.
$path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}"; if(file_exists($path)) { echo file_get_contents($path); } else { header('HTTP/1.1 404 Not Found'); } Off the top of my head I know that input such as '../../../../../../etc/passwd' would be trouble, but wondering what other malcious inputs I should expect and how to prevent them.
560
Sanitizing data means removing any illegal character from the data. Sanitizing user input is one of the most common tasks in a web application. To make this task easier PHP provides native filter extension that you can use to sanitize the data such as e-mail addresses, URLs, IP addresses, etc.
Description. Removes special characters that are illegal in filenames on certain operating systems and special characters requiring special escaping to manipulate at the command line.
realpath() will let you convert any path that may contain relative information into an absolute path...you can then ensure that path is under a certain subdirectory that you want to allow downloads from.
172
Use basename rather than trying to anticipate all the insecure paths a user could provide.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
