| Re: Repetetive code question [message #179670 is a reply to message #179653] |
Sat, 17 November 2012 13:54   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>> Shake wrote:
>>>> El 15/11/2012 13:26, Dynamo escribió:
>>>> > following php code to get the file contents:
>>>> > [
>>>> > <?php
>>>> > $mymenu=file_get_contents('menu.txt');
>>>> > echo $mymenu;
>>>> > ?>
>>>> > ]
>>>> > Everthing works fine but is this good practice and is there a better
>>>> > way.
>>>>
>>>> if the content of 'menu.txt' is HTML... the filename should be
>>>> 'menu.html'.
>>>
>>> And the variable is superfluous (except perhaps for debugging):
>>>
>>> <?php
>>> echo file_get_contents('menu.txt');
>>> ?>
>>>
>>>> What you are doing is an include... you can do this way:
>>>>
>>>> <?
>>>> include('menu.txt');
>>>> ?>
>>>
>>> That is not equivalent to the above, because with `include' (or
>>> `include_once', `require', or `require_once') the content of menu.txt
>>> will be parsed (searched for <?php … ?> sections which will then be
>>> executed).
>>
>> So? Actually, it's an advantage. For instance, he may later want to
>> add PHP code into the menu. He then would not need to go back and
>> change all his existing code.
>
> As I have explained in the part that you did not quote, it can be an
> advantage indeed. But if it really is only supposed to be plain text (or
> plain markup), using one of the include statements now can easily be a
> disadvantage over get_file_contents() or readfile() if the plain text
> happens to contain `<?php' or even `<?'. Because what follows will be
> parsed as PHP until `?>' no matter if that was intended.
>
> I strongly suspect this is but an example (it reads like homework). If the
> file in question is actually user-specified, using an include statement like
> this instead of file_get_contents() or readfile() would allow for code
> injection and potentially a cross-site scripting (XSS) attack on this
> application or website. If the PHP section feature is to be leveraged
> later, the statement can still be modified to use an include statement
> later, after it has been ensured that code injection and XSS are not
> possible.
>
>
> PointedEars
>
I'm still waiting for your explanation as to how an include statement
would allow for code injection. This is a very serious claim - it
leaves millions of web sites around the world open for this type of attack.
Or are you just showing your ignorance again?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]