0

Hi on my php project The user send the name of the theme (it's a telegram desktop theme maker) via form input. (The project is hosted on github Github Project) The problem is: I use this in the theme name the user could potentially access any folder on the serve. I tried to correct it with this commit : Github commit

$theme_name = str_replace("/", "_badyou_", $_GET["name"]); //contains the good themename

I need the just the name so I thought that eliminating the "/" is enough. But I need the opinion of someone who actually knows php better than me.

P.S sorry for my bad english. Thank you in advance.

Improve this question
1
  • 1
    Does your code have a mechanism to notify errors to users? I think it's easier for everybody to just reject bad input with a proper error message rather than changing user input randomly; not to mention that black list approaches are doomed to fail. Commented Jan 16, 2017 at 12:00

2 Answers 2

Reset to default
2

Well, it seems you are trying to protect your code against code injection attacks. Code injection allows the attacker to force execution of malicious code. This can be done by passing malicious code in the url. See this link for more information: https://www.owasp.org/index.php/Code_Injection. See also this link: http://www.derby-web-design-agency.co.uk/blog-post/what-is-and-how-to-prevent-url-injections-in-php/11/

To prevent code injection, the developer should validate all input sent to the application. Php provide several functions for validating and sanitizing data. For example: trim(), strip_tags(), htmlentities() and mysqli_real_escape_string()

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Almost every solution to injection I've ever found that includes the word "sanitization" was wrong. Functions suggested may have their use cases, but applying them randomly (often some of them at the same time) will normally just corrupt data and I can't figure out how any of them can eventually help with file system path injection.
You can try the filter_input function. It filters the $_GET array variables with certain filters depending on the needs. See: php.net/manual/en/function.filter-input.php
0

In the past days I saw that using the following code is enough.

$theme_name = str_replace("/", "_badyou_", $_GET["name"]); //contains the good themename

$theme_name is used for creation of the file like /dir_to_folder/$theme_name/$theme_name.tdesktop-theme

Someone already tried to attack my file system and they failed because the function is changing the "/" character with "badyou" making it inoffensive. That is possible also because I don't use a database. I hope that this will help someone.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.