| Re: Repetetive code question [message #179688 is a reply to message #179654] |
Sun, 18 November 2012 03:53   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
>> Jerry Stuckle wrote:
>>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>>> Shake wrote:
>>>> > El 15/11/2012 13:26, Dynamo escribió:
>>>> >> following php code to get the file contents:
>>>> >> [
>>>> >> <?php
>>>> >> $mymenu=file_get_contents('menu.txt');
>>>> >> echo $mymenu;
>>>> >> ?>
>>>> >> ]
>>>> >> Everthing works fine but is this good practice and is there a better
>>>> >> way.
>>>> >
>>>> > if the content of 'menu.txt' is HTML... the filename should be
>>>> > 'menu.html'.
>>>>
>>>> And the variable is superfluous (except perhaps for debugging):
>>>>
>>>> <?php
>>>> echo file_get_contents('menu.txt');
>>>> ?>
>>>>
>>>> > What you are doing is an include... you can do this way:
>>>> >
>>>> > <?
>>>> > include('menu.txt');
>>>> > ?>
>>>>
>>>> That is not equivalent to the above, because with `include' (or
>>>> `include_once', `require', or `require_once') the content of menu.txt
>>>> will be parsed (searched for <?php … ?> sections which will then be
>>>> executed).
>>>
>>> So? Actually, it's an advantage. For instance, he may later want to
>>> add PHP code into the menu. He then would not need to go back and
>>> change all his existing code.
>>
>> As I have explained in the part that you did not quote, it can be an
>> advantage indeed. But if it really is only supposed to be plain text (or
>> plain markup), using one of the include statements now can easily be a
>> disadvantage over get_file_contents() or readfile() if the plain text
>> happens to contain `<?php' or even `<?'. Because what follows will be
>> parsed as PHP until `?>' no matter if that was intended.
>>
>> I strongly suspect this is but an example (it reads like homework). If
>> the file in question is actually user-specified, using an include
>> statement like this instead of file_get_contents() or readfile() would
>> allow for code injection and potentially a cross-site scripting (XSS)
>> attack on this
>> application or website. If the PHP section feature is to be leveraged
>> later, the statement can still be modified to use an include statement
>> later, after it has been ensured that code injection and XSS are not
>> possible.
>
> OK, pray tell - how is a hacker going to initiate a code injection
> attack without access to the file system to modify (or replace) the
> included file?
File system access does not need to be direct, and may not even be necessary
if the include's path is based on user input.
> And if the hacker has access to the file system, what
> difference does it make what method the op uses?
They can more easily do more (publicly visible) damage with an include
statement because they do not have to modify the including code. It has
been done before. That is not to say that includes are bad per se, but
then again I have never said that.
> And exactly how many files do you think include <?php unless they are
> php files? None I've ever seen. They *might* have <?, but that's not a
> problem if you disable short_open_tags (as recommended).
I have already mentioned one real case in another posting in this thread,
and even with short_open_tags=0 `<?php … ?>' content will be parsed if in an
include, *no matter what*. You are not paying attention.
> As for modifying the statement later - why do you think he wants an
> include file?
You are imagining things.
> Maybe because this file will be used in many different
> pages on his web site - and he'd have to ensure he changes *every one of
> them*.
Fallacy: Jumping to conclusions.
I think I have fed you enough in this thread.
PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm> (404-comp.)
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]