| Re: Repetetive code question [message #179691 is a reply to message #179688] |
Sun, 18 November 2012 13:38   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 11/17/2012 10:53 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
>>> Jerry Stuckle wrote:
>>>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>>> > Shake wrote:
>>>> >> El 15/11/2012 13:26, Dynamo escribió:
>>>> >>> following php code to get the file contents:
>>>> >>> [
>>>> >>> <?php
>>>> >>> $mymenu=file_get_contents('menu.txt');
>>>> >>> echo $mymenu;
>>>> >>> ?>
>>>> >>> ]
>>>> >>> Everthing works fine but is this good practice and is there a better
>>>> >>> way.
>>>> >>
>>>> >> if the content of 'menu.txt' is HTML... the filename should be
>>>> >> 'menu.html'.
>>>> >
>>>> > And the variable is superfluous (except perhaps for debugging):
>>>> >
>>>> > <?php
>>>> > echo file_get_contents('menu.txt');
>>>> > ?>
>>>> >
>>>> >> What you are doing is an include... you can do this way:
>>>> >>
>>>> >> <?
>>>> >> include('menu.txt');
>>>> >> ?>
>>>> >
>>>> > That is not equivalent to the above, because with `include' (or
>>>> > `include_once', `require', or `require_once') the content of menu.txt
>>>> > will be parsed (searched for <?php … ?> sections which will then be
>>>> > executed).
>>>>
>>>> So? Actually, it's an advantage. For instance, he may later want to
>>>> add PHP code into the menu. He then would not need to go back and
>>>> change all his existing code.
>>>
>>> As I have explained in the part that you did not quote, it can be an
>>> advantage indeed. But if it really is only supposed to be plain text (or
>>> plain markup), using one of the include statements now can easily be a
>>> disadvantage over get_file_contents() or readfile() if the plain text
>>> happens to contain `<?php' or even `<?'. Because what follows will be
>>> parsed as PHP until `?>' no matter if that was intended.
>>>
>>> I strongly suspect this is but an example (it reads like homework). If
>>> the file in question is actually user-specified, using an include
>>> statement like this instead of file_get_contents() or readfile() would
>>> allow for code injection and potentially a cross-site scripting (XSS)
>>> attack on this
>>> application or website. If the PHP section feature is to be leveraged
>>> later, the statement can still be modified to use an include statement
>>> later, after it has been ensured that code injection and XSS are not
>>> possible.
>>
>> OK, pray tell - how is a hacker going to initiate a code injection
>> attack without access to the file system to modify (or replace) the
>> included file?
>
> File system access does not need to be direct, and may not even be necessary
> if the include's path is based on user input.
>
Who said the include's path is based on user input? The guy wants to
include a fixed menu, for pete's sakes. READ THE QUESTION, STOOPID!
>> And if the hacker has access to the file system, what
>> difference does it make what method the op uses?
>
> They can more easily do more (publicly visible) damage with an include
> statement because they do not have to modify the including code. It has
> been done before. That is not to say that includes are bad per se, but
> then again I have never said that.
>
So what? If the hacker has access to the file system, he can modify
anything. And you did say includes are bad.
>> And exactly how many files do you think include <?php unless they are
>> php files? None I've ever seen. They *might* have <?, but that's not a
>> problem if you disable short_open_tags (as recommended).
>
> I have already mentioned one real case in another posting in this thread,
> and even with short_open_tags=0 `<?php … ?>' content will be parsed if in an
> include, *no matter what*. You are not paying attention.
>
Yup, I read what you said. And you're talking out of your arse, as
usual. Please show me where in any *valid html* you will have "<?php".
>> As for modifying the statement later - why do you think he wants an
>> include file?
>
> You are imagining things.
>
Nope, I am reading his message - unlike you.
>> Maybe because this file will be used in many different
>> pages on his web site - and he'd have to ensure he changes *every one of
>> them*.
>
> Fallacy: Jumping to conclusions.
>
> I think I have fed you enough in this thread.
>
>
> PointedEars
>
Why the hell do you think he wants an include file? From the ops very
first post:
"I have a large chunk of html code that is used to build an extensive
drop down menu. The same code is used on all 30 of my web pages. "
This whole message shows you have either obviously never learned to
read, are speaking with your head up your arse, or both. But then
you're well known for both.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]