Portal Home > Knowledgebase > Articles Database > fopen() hackable?
fopen() hackable?
| Posted by gpl24, 11-13-2011, 01:02 AM |
| Would fopen() be hackable under this environment?
I've never used fopen() to any offsite URLs before, so I am not sure if this is risky or not. (I did not write this code)
Basically, the script is just checking for a phrase (think reciprocal links, for example) on a remote site - in this way, is the code executed or just read?
If the site fopen() is reading is hacked, can my script be hacked also?
|
| Posted by fabin, 11-13-2011, 01:24 AM |
| The code looks safe, provided $url is not a user-provided data.
If $url is a user-provided data, the code that are run when $status=true needs to be inspected too.
Usually, its file_get_content, include and require statements that are bad when remote urls are open. In those cases, it is advised to use curl and perform proper input filtering.
|
| Posted by gpl24, 11-13-2011, 02:09 AM |
| It is user-submitted data, but the URL is sanitized via the following:
sanitize_string:
I searched the code for file_get_content and I didn't locate anything.
However, in my code, I located the bits that do a live-check of the submission (to the user) before the info is recorded to the database. The code I posted earlier was the back-end codes only admins use.
Are these vulnerable?
|
| Posted by gpl24, 11-13-2011, 02:26 AM |
| ps. I just noticed @eregi() and fixed:
if (strstr($pg_line, $phrases[$i])) {
|
| Posted by fabin, 11-13-2011, 03:03 AM |
| The provided code looks safe to me. Also, you are not importing ( using include or require ) anything from the remote url, which is good.
You have to ensure that the output is escaped before it is shown to the user as html and also use mysql_real_escape() on all variables before executing any sql.
|
| Posted by gpl24, 11-13-2011, 04:43 AM |
| Nothing is actually shown to the user but a generic error via echo (nothing that copies any data from unescaped variables).
Great tip, I will comb over the code to check database input variables for use of mysql_real_escape_string.
Thanks for taking the time to peek at the code!
|
| Posted by gpl24, 11-13-2011, 04:52 AM |
| Followup question regarding mysql_real_escape_string -- it appears to be already listed as a function. Will this suffice?
(In php I assume that for every function, once $string is handed down, it gets snipped/cleansed and soaked all the way to the end? As in, no 1 magical super-long cleansing string is required?)
|
Add to Favourites 
Print this Article
Also Read
