View Single Post
Old 6th February 2006, 11:41
webstergd webstergd is offline
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts

you were correct in your fear. I am not sure what rights the function would be granted but it could still be a big problem.

This solution is from the top of my head with only given it a few min through so check it with Till or Falko but here is how I would make it more secure:

instead of the $value holding the directory you could use $value as a number. Then the number would triger an if statement that would then delete the coresponding directory.

lets say $value = 2;

if( value == 1)
remove rf /var/www/web[id]/web/joomla/

else if(value == 2)
remove rf /var/www/web[id]/web/phpbb2/

error message
only problem with this is that web[id] would need to be properly checked to make sure it only includes proper characters ([A-Z][a-z][0-9] and I believe '_' check with Till) Have the statement die on any other values detected. Few other checks might be wise to run on web[id]. Till would be your best man to ask about the functions provided by php for this.

I still dont like web[id] in there but for simplicity sake I am not going to worry.

Later to make it easier to update you could place the list of directories in a static, readonly, config file and have the program read them and place them in a static array. still need to check the values but this should make it easier to update.

Last edited by webstergd; 6th February 2006 at 11:44.
Reply With Quote