Page 360 - Open Soource Technologies 304.indd
P. 360
Web Technologies-I
Notes
Create a PHP program for data filtering using including method.
Timing
Once a PHP script begins processing, the entire HTTP request has been received. This means
that the user does not have another opportunity to send data, and therefore no data can be
injected into your script (even if register_globals is enabled). This is why initializing your
variables is such a good practice.
Once your script is in a production environment, you should turn off public
visibility of errors and warnings, as they can give a potential hacker insight
into how your script works.
14.2 Filenames
It is fairly easy to construct a filename that refers to something other than what you intended.
For example, say you have a $username variable that contains the name the user wants to be
called, which the user has specified through a form field. Now let’s say you want to store a
welcome message for each user in the directory /user/local/lib/greetings, so that you can
output the message any time the user logs into your application. The code to print the current
user’s greeting is:
<?php include(“/usr/local/lib/greetings/$username”) ?>
This seems harmless enough, but what if the user chose the username “../../../../etc/passwd”?
The code to include the greeting now includes /etc/passwd instead. Relative paths are a common
trick used by hackers against unsuspecting scripts.
Another trap for the unwary programmer lies in the way that, by default, PHP can open remote
files with the same functions that open local files. The fopen( ) function and anything that uses
it (e.g., include( ) and require( )) can be passed an HTTP or FTP URL as a filename, and the
document identified by the URL will be opened. Here’s some exploitable code:
<?php chdir(“/usr/local/lib/greetings”); $fp = fopen($username, “r”); ?>
If $username is set to “http://www.example.com/myfile”, a remote file is opened, not a local one.
The situation is even more dire if you let the user tell you which file to include( ):
<?php $file = $_REQUEST[‘theme’]; include($file); ?>
If the user passes a theme parameter of “http://www.example.com/badcode.inc” and your
variables_order includes GET or POST, your PHP script will happily load and run the remote
code. Never use parameters as filenames like this.
14.2.1 Check for Relative Paths
When you need to allow the user to specify a filename in your application, you can use a
combination of the realpath( ) and basename( ) functions to ensure that the filename is what
it ought to be. The realpath( ) function resolves special markers such as “.” and “..”. After a
call to realpath( ), the resulting path is a full path on which you can then use basename( ). The
basename( ) function returns just the filename portion of the path.
Going back to our welcome message scenario, here’s an example of realpath( ) and basename( ) in
action:
354 LOVELY PROFESSIONAL UNIVERSITY
