| Re: Repetetive code question [message #179654 is a reply to message #179653] |
Thu, 15 November 2012 21:20   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>> Shake wrote:
>>>> El 15/11/2012 13:26, Dynamo escribió:
>>>> > following php code to get the file contents:
>>>> > [
>>>> > <?php
>>>> > $mymenu=file_get_contents('menu.txt');
>>>> > echo $mymenu;
>>>> > ?>
>>>> > ]
>>>> > Everthing works fine but is this good practice and is there a better
>>>> > way.
>>>>
>>>> if the content of 'menu.txt' is HTML... the filename should be
>>>> 'menu.html'.
>>>
>>> And the variable is superfluous (except perhaps for debugging):
>>>
>>> <?php
>>> echo file_get_contents('menu.txt');
>>> ?>
>>>
>>>> What you are doing is an include... you can do this way:
>>>>
>>>> <?
>>>> include('menu.txt');
>>>> ?>
>>>
>>> That is not equivalent to the above, because with `include' (or
>>> `include_once', `require', or `require_once') the content of menu.txt
>>> will be parsed (searched for <?php … ?> sections which will then be
>>> executed).
>>
>> So? Actually, it's an advantage. For instance, he may later want to
>> add PHP code into the menu. He then would not need to go back and
>> change all his existing code.
>
> As I have explained in the part that you did not quote, it can be an
> advantage indeed. But if it really is only supposed to be plain text (or
> plain markup), using one of the include statements now can easily be a
> disadvantage over get_file_contents() or readfile() if the plain text
> happens to contain `<?php' or even `<?'. Because what follows will be
> parsed as PHP until `?>' no matter if that was intended.
>
> I strongly suspect this is but an example (it reads like homework). If the
> file in question is actually user-specified, using an include statement like
> this instead of file_get_contents() or readfile() would allow for code
> injection and potentially a cross-site scripting (XSS) attack on this
> application or website. If the PHP section feature is to be leveraged
> later, the statement can still be modified to use an include statement
> later, after it has been ensured that code injection and XSS are not
> possible.
>
>
> PointedEars
>
OK, pray tell - how is a hacker going to initiate a code injection
attack without access to the file system to modify (or replace) the
included file? And if the hacker has access to the file system, what
difference does it make what method the op uses?
And exactly how many files do you think include <?php unless they are
php files? None I've ever seen. They *might* have <?, but that's not a
problem if you disable short_open_tags (as recommended).
As for modifying the statement later - why do you think he wants an
include file? Maybe because this file will be used in many different
pages on his web site - and he'd have to ensure he changes *every one of
them*.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]