Originally posted by bogeyman
View Post
-
Why not? It doesn't do any harm. If somebody leaves a security hole in their application that allows it to be abused, then they're almost certainly leaving SQL injection and XSS holes as well, so this is the least of their worries. -
Originally posted by NickFitz View Post
Yup, it is. He needs to use htmlentities() instead (see my original post). urlencode() will convert all the symbols to their html equivalent which will break a file_get_contents call because it doesn't realise it is a url any more.Comment
-
Misuse of the word "friendly" there - well, unless they allow me to re-enable it when I want toOriginally posted by Ardesco View PostUnless of course your friendly web admin has set:
Code:disable_functions = phpinfo
in the php.ini
Comment
-
Nope - he's building a URL, which isn't HTML. htmlentities() is used for encoding stuff to be rendered on a web page, not for URL encoding; so if one writes a URL to a page, it should be formed with urlencode() applied to values in the query string and fragment identifier, and then passed through htmlentities() to make it valid HTML. But for use as a URL, only the first is appropriate, otherwise it'll mess up the query string.Originally posted by Ardesco View Post
E.G. http://example.com?p=1&q=2 would become http://example.com?p=1&q=2, which would result in the server thinking it had been passed a value of 2 with the name amp;q.Comment
-
you got me there
I bow down to NickFitz's superior knowledge
Comment
-
As so must we allOriginally posted by Ardesco View Postyou got me there
I bow down to NickFitz's superior knowledge
(otherwise he'll never shut up)
You've come right out the other side of the forest of irony and ended up in the desert of wrong.
Comment
-
Hey lotsa of sensible answers, cheers. Will try those later, if work then on to the hard bit, actually extracting the figure I want.
Know nothing about the security stuff or server side at all as is probably obvious but this is a short conversion file Worlpay provide configured to my specific account so must be safe enough to use it?
****
Hmm! HTMLentities works but now I am getting a file timeout although pages are available, same if use fopen. All the things that should allow remote access like allow_url_fopen are set to on according to the info file. Bum.Last edited by xoggoth; 22 November 2008, 19:20.bloggoth
If everything isn't black and white, I say, 'Why the hell not?'
John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)Comment
-
You shouldn't use htmlentities(), as it's not relevant and could damage your URLs. See my post at the end of page 1, and the php.net documentation I linked to in my previous post - explicitly opening, reading, and closing the file may be more reliable for your setup.
Alternatively try the cURL functions - they're slightly more complicated to use, but if nothing else they give you a much better indication of what, if anything, has gone wrong.Comment
-
Cheers for further comments Nick. Turns out there was a security problem, I have to request access via the host firewall for every URL I want to open.bloggoth
If everything isn't black and white, I say, 'Why the hell not?'
John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)Comment
Comment