535Chapter 29SecurityReading arbitrary filesA few common PHP programming (Web site design and hosting)
535Chapter 29SecurityReading arbitrary filesA few common PHP programming mistakes can make it easy for a hacker to read almost anyfile on the server. Study the following page:
This simple program displays a number of poems, selectable from a pop-up menu given in the form near the end. Invoke the security mantra: Don t trust the network. Clicking ShowMeonthis page results in URLs such as poetry.php?poem=graves.html. A cracker may substitutethe filename of some more sensitive file, such as poetry.php?poem=/etc/passwd. The pro- gram, as given, would dutifully serve up the Unix password file, possibly enabling the crackerto break into a visitor account and do further damage. The following is an appropriate solution to this problem: The advantage of this method is that it explicitly lists the acceptable inputs and gracefullyhandles unacceptable inputs. If there were more poems to be processed, the switchstate- ment could be replaced with a database query, where failure of the query indicates invalidinput.
Note: If you are looking for cheap and reliable webhost to host and run your web application check Vision coldfusion web hosting services