I haven't tried those, but should have mentioned in my post, the value of
$message is always a value I create. The person asking the original question
however, might have been accepting input from unknown users.
Thanks for the 'alert' though... Stand down Number One...
-----Original Message-----
From: Richard Lynch [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 01, 2001 10:03 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Replacing template variables with values?
> This always works for me...
>
> eval ("\$message = \"$message\";");
RED ALERT! SECURITY TO THE BRIDGE!
"Captain, there's Klingons off the starboard bow!"
Oh, sorry. Did I type that aloud? Sorry.
If $message is a free-form email typed in by a potentially malicious user
this looks pretty dangerous to me...
Have you tried it with things like:
$message = '";exec("/usr/bin/cat /etc/passwd");';
Do *NOT* try this one, but if the above works, think what *THIS* would do!
$message = '";exec("/usr/bin/rm -rf /");';
--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
