Everybody! This is important. In a few days, these forums will be moving over to using the totally sweet Discourse platform. To ensure this migration happens smoothly with no loss of content, these forums are currently in a read-only mode. I do apologize for the inconvenience.

There is never a good time to turn the forums off for an extended period of time, but I promise the new forums will be a billion times better. I'm pretty sure of it.

See you all on the other side in a few days, and if you have any (non-technical) questions, please e-mail me at kirupa@kirupa.com. For technical questions, try to find a tutorial that corresponds to what you are looking for and post in the comments section of that page.

Cheers,
Kirupa

Results 1 to 4 of 4

Thread: Load XML from External Domains

  1. #1
    10
    posts
    Registered User

    Load XML from External Domains

    I was looking at http://www.kirupa.com/web/load_xml.htm and it is a very bad example!

    One should use readfile() instead of include(). Then the <? ?> tags will not be executed as PHP. Using include opens up all kinds of security issues: What if someone passed a URL they controlled? Then they could run arbitrary code on your server!

    The comment "If that tag is included in the XML-file, it will cause a PHP parse error, since php will treat everything within the <? and ?> as PHP-code" should have sent off alarm bells.

    Also, if you turn off short_open_tags then <? will be ignored and you'll require <?php ?> for all PHP code.

  2. #2
    That code is 4 years old... ridicule all you want lmao
    Let us live so that when we come to die even the undertaker will be sorry. - Mark Twain
    Don't PM me your CSS, xHTML, JS or PHP questions. I will not reply to ANY IE6 questions.

  3. #3
    10
    posts
    Registered User
    OK, I will!

    If you're going to put insecure code on the web then you should warn people about that. This is why PHP has a bad name.

  4. #4
    So much for being facetious. And I'm all about security, I preach it. HOWEVER, pointing out a flaw on an aged code is mute. When people put out tutorials (and this is very common everywhere) they take it and say... "how do I get from point a to point b with the least amount of resistance". I'm not saying it's right, but that's just how it is.

    Also... at the bottom of this page is:
    Alternate, Secure Method - by njs12345
    Using the example PHP script provided in the tutorial, it is possible to include any file. For instance, under Unix, it is possible to include the file /etc/passwd, which contains passwords for the whole system.

    This could also be used to include the source code of other PHP documents. For instance, how would you like it if someone included your PHP connection strings?

    It would be much better to check if the URL string begins with "http://" using some code like this:
    PHP Code:
    <?php   
    if(substr($_GET['xmlsource'], 07) == "http://"){
        
    //is using http:// protocol, allowed
        
    include($_GET['xmlsource']);
        
    }else {
        print 
    "ERROR: not authorized";
    }
    ?>
    - njs12345
    Let us live so that when we come to die even the undertaker will be sorry. - Mark Twain
    Don't PM me your CSS, xHTML, JS or PHP questions. I will not reply to ANY IE6 questions.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012