BrockleyJohn Posted February 23, 2016 Share Posted February 23, 2016 Perhaps I'm being paranoid, but it bears thinking about.The context is an ajax handler, called from several admin pages and running in the admin directory so hopefully password-protected, and beginning with an inclusion of application_top. With the current file structures it seemed sensible to load the language file of the page sending the request, but it didn't seem a good idea to open up the script to including an arbitrary file. I think this will restrict it to opening a file from the language directory, but can it be improved? if (isset($_POST['pagename']) && file_exists(DIR_WS_LANGUAGES . $language . '/' . basename($_POST['pagename']))) { include(DIR_WS_LANGUAGES . $language . '/' . basename($_POST['pagename'])); } It matters since the code is intended for public release. Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
♥kymation Posted February 23, 2016 Share Posted February 23, 2016 Always clean the input values before using them. Something like this: $pagename = filter_input ( INPUT_POST, $_POST['pagename'], FILTER_SANITIZE_URL ); And then use $pagename in place of the POST variable everywhere in your code. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
BrockleyJohn Posted February 25, 2016 Author Share Posted February 25, 2016 Thanks Jim, that's a function I don't remember using; I see it's been around since php 5.2 but I guess I've still been in the dark ages. It doesn't appear in the osc codebase, even in versions that require 5.3+. Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
♥kymation Posted February 25, 2016 Share Posted February 25, 2016 It's not in osC but probably should be. In any case, it's a good way to clean variables and has many options to get specific to the type of variable. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
BrockleyJohn Posted February 26, 2016 Author Share Posted February 26, 2016 Yes, I agree, that's why I raised the question. For others' reference, it turns out the proper syntax is $pagename = filter_input ( INPUT_POST, 'pagename', FILTER_SANITIZE_URL ); Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.