PEAK XOOPS - News

| PHP | Site News | XOOPS |

Poster : GIJOE on 2005-12-08 13:07:09 (11092 reads)

Do you know these files can be parsed as PHP file?

foo.php.en
foo.php.orig.test

This is a normal behavior of apache's mod_mime.c

If a script stores an uploaded file under DocumentRoot and its name will be generated from its original file name, it is danger enough.
(Though I don't know such modules for XOOPS...)

Even if he disallow *.php, attacker can upload *.php.hehehe and exec the file.

The latest version of Protector (2.54) scans multiple dot(.) inside $_FILE[]['name'].
If a doubtful file name is found, Protector will stop XOOPS immediately.

Read more... | 1340 bytes more |0 comments

PHP : Trouble in using mysql_fetch_object() under PHP 5.0.5

Poster : GIJOE on 2005-12-02 01:00:00 (13470 reads)


1:    $result = mysql_query( "SELECT ''" , $conn ) ;
2:    $obj = mysql_fetch_object( $result ) ;

This cause no errors in PHP <= 5.0.4.
This cause a fatal error in PHP 5.0.5 in line 2.

This should be like this:


1:    $result = mysql_query( "SELECT '' AS tmp_name" , $conn ) ;
2:    $obj = mysql_fetch_object( $result ) ;

0 comments

« 1 ... 3 4 5 (6)

Lost Password?

Register now!