FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Repetetive code question
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Repetetive code question [message #179691 is a reply to message #179688] Sun, 18 November 2012 13:38 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 11/17/2012 10:53 PM, Thomas 'PointedEars' Lahn wrote:
> Jerry Stuckle wrote:
>
>> On 11/15/2012 3:06 PM, Thomas 'PointedEars' Lahn wrote:
>>> Jerry Stuckle wrote:
>>>> On 11/15/2012 10:21 AM, Thomas 'PointedEars' Lahn wrote:
>>>> > Shake wrote:
>>>> >> El 15/11/2012 13:26, Dynamo escribió:
>>>> >>> following php code to get the file contents:
>>>> >>> [
>>>> >>> <?php
>>>> >>> $mymenu=file_get_contents('menu.txt');
>>>> >>> echo $mymenu;
>>>> >>> ?>
>>>> >>> ]
>>>> >>> Everthing works fine but is this good practice and is there a better
>>>> >>> way.
>>>> >>
>>>> >> if the content of 'menu.txt' is HTML... the filename should be
>>>> >> 'menu.html'.
>>>> >
>>>> > And the variable is superfluous (except perhaps for debugging):
>>>> >
>>>> > <?php
>>>> > echo file_get_contents('menu.txt');
>>>> > ?>
>>>> >
>>>> >> What you are doing is an include... you can do this way:
>>>> >>
>>>> >> <?
>>>> >> include('menu.txt');
>>>> >> ?>
>>>> >
>>>> > That is not equivalent to the above, because with `include' (or
>>>> > `include_once', `require', or `require_once') the content of menu.txt
>>>> > will be parsed (searched for <?php … ?> sections which will then be
>>>> > executed).
>>>>
>>>> So? Actually, it's an advantage. For instance, he may later want to
>>>> add PHP code into the menu. He then would not need to go back and
>>>> change all his existing code.
>>>
>>> As I have explained in the part that you did not quote, it can be an
>>> advantage indeed. But if it really is only supposed to be plain text (or
>>> plain markup), using one of the include statements now can easily be a
>>> disadvantage over get_file_contents() or readfile() if the plain text
>>> happens to contain `<?php' or even `<?'. Because what follows will be
>>> parsed as PHP until `?>' no matter if that was intended.
>>>
>>> I strongly suspect this is but an example (it reads like homework). If
>>> the file in question is actually user-specified, using an include
>>> statement like this instead of file_get_contents() or readfile() would
>>> allow for code injection and potentially a cross-site scripting (XSS)
>>> attack on this
>>> application or website. If the PHP section feature is to be leveraged
>>> later, the statement can still be modified to use an include statement
>>> later, after it has been ensured that code injection and XSS are not
>>> possible.
>>
>> OK, pray tell - how is a hacker going to initiate a code injection
>> attack without access to the file system to modify (or replace) the
>> included file?
>
> File system access does not need to be direct, and may not even be necessary
> if the include's path is based on user input.
>

Who said the include's path is based on user input? The guy wants to
include a fixed menu, for pete's sakes. READ THE QUESTION, STOOPID!

>> And if the hacker has access to the file system, what
>> difference does it make what method the op uses?
>
> They can more easily do more (publicly visible) damage with an include
> statement because they do not have to modify the including code. It has
> been done before. That is not to say that includes are bad per se, but
> then again I have never said that.
>

So what? If the hacker has access to the file system, he can modify
anything. And you did say includes are bad.

>> And exactly how many files do you think include <?php unless they are
>> php files? None I've ever seen. They *might* have <?, but that's not a
>> problem if you disable short_open_tags (as recommended).
>
> I have already mentioned one real case in another posting in this thread,
> and even with short_open_tags=0 `<?php … ?>' content will be parsed if in an
> include, *no matter what*. You are not paying attention.
>

Yup, I read what you said. And you're talking out of your arse, as
usual. Please show me where in any *valid html* you will have "<?php".

>> As for modifying the statement later - why do you think he wants an
>> include file?
>
> You are imagining things.
>

Nope, I am reading his message - unlike you.

>> Maybe because this file will be used in many different
>> pages on his web site - and he'd have to ensure he changes *every one of
>> them*.
>
> Fallacy: Jumping to conclusions.
>
> I think I have fed you enough in this thread.
>
>
> PointedEars
>

Why the hell do you think he wants an include file? From the ops very
first post:

"I have a large chunk of html code that is used to build an extensive
drop down menu. The same code is used on all 30 of my web pages. "

This whole message shows you have either obviously never learned to
read, are speaking with your head up your arse, or both. But then
you're well known for both.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Scrape dynamically generated hyperlinks
Next Topic: PHP 5.5 and Windows XP
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 13:40:44 GMT 2024

Total time taken to generate the page: 0.03928 seconds