[RESOLVED] DropDown select of file in Directory

halojoy

removed script
to avoid off-topic discussions
/halojoy

harmor

this

$selfile=isset($_POST['sfile'])?$selfile=$_POST['sfile']:''

should be

$selfile=isset($_POST['sfile'])?=$_POST['sfile']:''

I'm not sure if someone could do this...
But someone could copy your form, change the action.
Change the drop down to a test box with the same name "sfile".
They could input "../../../etc/passwrd" to get your password.
Again, I'm not sure if that is 100% true.

halojoy

harmor wrote:
I'm not sure if someone could do this...
But someone could copy your form, change the action.
Change the drop down to a test box with the same name "sfile".
They could input "../../../etc/passwrd" to get your password.
Again, I'm not sure if that is 100% true.

Thanks for your correction, harmor.

I changed that line of code in my script above.

to your question:

If someone can do this, copy my form etc and upload or use a remote script
and so get my password,
then not only my script, but just about anything at such a webspace
would be so unsecure
that you better not use such a website.

Has got nothing to do with my script.

My script is supposed to be only used by the admin or user with login access,
and could be a part of other php pages, forms, editors or file manager scripts.
And so would have some sort of authtentiation, login from the main script
or this script may be used only in such folders where admin and nobody else has permission.

I will NOT add a 100% secure login with md5 hashed password function
with password stored outside webpages root
to every little script or function I submit here.

If you or somebody wants to know how you make a login to your stuff, secure your php pages
and handle security issues at a more normal php level,
you have to serach elsewhere at this website and at the internet.

There are plenty of articles and tutorials in this matter of PHP Security to find.
If you search and learn a bit.

Regards
halojoy
.

harmor

If someone can do this, copy my form etc and upload or use a remote script
and so get my password,
then not only my script, but just about anything at such a webspace
would be so unsecure
that you better not use such a website.

Not true.
The reason yours is potentially insecure is that you don't do any checks to see what the user inputs.
You could do a "preg_match" to see if anything but the intended string is being passed through.

TheDefender

Ummmm, halojoy... I have a question.

Why post your code for critique in the "Code Critique" forum, and then immediately go into a defensive rant about how your code has no flaws whatsoever, when harmor was even kind enough to start his post with "I'm not sure if someone could do this..." AND ended with "Again, I'm not sure if that is 100% true."? (which to me, indicated he was just trying to be helpful anyhow)

I mean, he's trying to be helpful, and make sure all avenues of security have been addressed, and you proceed to go into a mean spirited tirade about how he doesn't even know how to code a secure login function. That's pretty presumptuous and zealous on your part, don't you think?

You're normally not like that... you having a bad week or something? Relax.....

harmor

Well is it possible to do the whole fooling the script to getting a directory?

Weedpacket

I don't see anything to prevent it; certainly there is nothing (and can be nothing) that prevents anyone from submitting anything they want in any field (and I've just remembered that the Web Developer Toolbar extension in Firefox has an option to change select elements into text fields, so it's not even necessary to change the form by hand).

I'd check the realpath() of the requested directory, and compare it against the root of whatever directory tree(s) the user is allowed to access.

halojoy

TheDefender wrote:
Ummmm, halojoy... I have a question.

Why post your code for critique in the "Code Critique" forum, and then immediately go into a defensive rant about how your code has no flaws whatsoever, when harmor was even kind enough to start his post with "I'm not sure if someone could do this..." AND ended with "Again, I'm not sure if that is 100% true."? (which to me, indicated he was just trying to be helpful anyhow)

I mean, he's trying to be helpful, and make sure all avenues of security have been addressed, and you proceed to go into a mean spirited tirade about how he doesn't even know how to code a secure login function. That's pretty presumptuous and zealous on your part, don't you think?

You're normally not like that... you having a bad week or something? Relax.....

If is requried to add a so called '100% secure' login
with total internet security
to every snippet, funtion or script I post here
then
this was the last script I publish here in www.phpbuilder.com

When knowing that not even Pentagon in USA and US Military
cant stop intruders,
if some young hacker really aim for it.

Instead of turning also this my topic into
the usual off-topic discussion:
is it not insecure?
is it not a possibility to misuse?

I am sure the average php expert is so insecure in his mind
and obsessed with php security
that he wouldnt cross an empty road
unless he has used his mobile phone
and called neighbour villages - IN BOTH ENDS
making sure there is no car coming - at least within 2-3 kilometers of range

🙂 halojoy - has no problems crossing a road
.. dont even own a mobile phone
.

Shrike

Would you prefer it if people just said how fabulous your code is? While that might boost your ego it's certainly not a critique.

TheDefender

Ummmm.... halojoy, why are you bashing me?!? I didn't even critique your code in the first place. I'm just trying to get you to a rational state of thought. YOU posted your code to have it CRITIQUED... THAT'S the purpose for this forum section, is it not?!?

Nobody EVER said 100% security was required... Heck, nobody even said your code was flawed... He was merely trying to get you to cover all of your bases, if possible.

All I can say is this: If you can't take constructive criticism about your code, then good... Don't post it anymore. Hate to see you go, because you have skill, but the attitude, and lack of respect for others isn't something that is needed here anyhow.

Don't let the door hitcha where the dog shoulda bitcha.....