Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
ex3xeng2015-11-25 10:33:32
PHP
ex3xeng, 2015-11-25 10:33:32

Do I need to filter data file_exists(), file_get_contents()?

there is a diagram like this:

$file = (isset($_GET['file']) && !empty($_GET['file']) ? $_GET['file'] : false);
if ($file) {
   if (file_exists($file)) $file = file_get_contents($file);
}

while the get parameter is sent by the client, is it necessary to somehow filter the incoming data in this case? are errors possible?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Alexey Ukolov, 2015-11-25
@alexey-m-ukolov

Of course, this is a classic mistake - you are actually letting the user read an arbitrary file on your server. This is a huge security hole.
Stepic.org has a course on web project security and it has a chapter on exactly this issue.

Report
A
Alexey Hog, 2015-11-25
@Skiphog

Some information can be found here

Similar questions
R
Rooly2021-03-23 11:40:40
How to properly organize apiResource Laravel? 2Reply
M
Max Ba2017-04-06 13:55:11
How to make a key for a TIN? 3Reply
A
Anton2021-03-27 12:39:53
Getting the selected radio item and passing it to the email body, how to display the selected item? 2Reply
S
Steve2022-01-20 23:47:23
How to hide the real path to css? 3Reply
M
MrFreeman2014-05-22 10:27:02
Where did the events from habrahabr go? 6Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question