Results 1 to 4 of 4

Thread: Load XML from External Domains

  1. #1
    10
    posts
    Registered User

    Load XML from External Domains

    I was looking at http://www.kirupa.com/web/load_xml.htm and it is a very bad example!

    One should use readfile() instead of include(). Then the <? ?> tags will not be executed as PHP. Using include opens up all kinds of security issues: What if someone passed a URL they controlled? Then they could run arbitrary code on your server!

    The comment "If that tag is included in the XML-file, it will cause a PHP parse error, since php will treat everything within the <? and ?> as PHP-code" should have sent off alarm bells.

    Also, if you turn off short_open_tags then <? will be ignored and you'll require <?php ?> for all PHP code.

  2. #2
    That code is 4 years old... ridicule all you want lmao
    Let us live so that when we come to die even the undertaker will be sorry. - Mark Twain
    Don't PM me your CSS, xHTML, JS or PHP questions. I will not reply to ANY IE6 questions.

  3. #3
    10
    posts
    Registered User
    OK, I will!

    If you're going to put insecure code on the web then you should warn people about that. This is why PHP has a bad name.

  4. #4
    So much for being facetious. And I'm all about security, I preach it. HOWEVER, pointing out a flaw on an aged code is mute. When people put out tutorials (and this is very common everywhere) they take it and say... "how do I get from point a to point b with the least amount of resistance". I'm not saying it's right, but that's just how it is.

    Also... at the bottom of this page is:
    Alternate, Secure Method - by njs12345
    Using the example PHP script provided in the tutorial, it is possible to include any file. For instance, under Unix, it is possible to include the file /etc/passwd, which contains passwords for the whole system.

    This could also be used to include the source code of other PHP documents. For instance, how would you like it if someone included your PHP connection strings?

    It would be much better to check if the URL string begins with "http://" using some code like this:
    PHP Code:
    <?php   
    if(substr($_GET['xmlsource'], 07) == "http://"){
        
    //is using http:// protocol, allowed
        
    include($_GET['xmlsource']);
        
    }else {
        print 
    "ERROR: not authorized";
    }
    ?>
    - njs12345
    Let us live so that when we come to die even the undertaker will be sorry. - Mark Twain
    Don't PM me your CSS, xHTML, JS or PHP questions. I will not reply to ANY IE6 questions.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012