Comments on: Beware of remote code injection exploit in PHP! http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/ about ajax, javascript, DHTML, CSS, web app, MySQL, PHP, JSP, Java, Oracle Mon, 12 May 2008 22:37:41 +0000 http://wordpress.org/?v=2.3.1 By: admin http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/#comment-49 admin Tue, 05 Feb 2008 12:19:48 +0000 http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/#comment-49 Mistake has been corrected :) Mistake has been corrected :)

]]> By: admin http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/#comment-48 admin Tue, 05 Feb 2008 12:17:22 +0000 http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/#comment-48 Yeah, Bart, you're right it was a mistake :) Yeah, Bart, you’re right it was a mistake :)

]]> By: Bart Seghers http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/#comment-27 Bart Seghers Fri, 25 Jan 2008 08:54:59 +0000 http://www.ajaxapp.com/2007/11/29/beware-of-remote-code-injection-exploit-in-php/#comment-27 Could it be that in your "solution 3", the following line: $page=”mypagesFolder/”.$_REQUEST[’p'].”.inc.php”; should read: $page=”mypagesFolder/”.$page.”.inc.php”; This because $page has the invalid characters replaced, while $_REQUEST[’p'] hasn't. Regards, Bart. Could it be that in your “solution 3″, the following line:

$page=”mypagesFolder/”.$_REQUEST[’p’].”.inc.php”;

should read:

$page=”mypagesFolder/”.$page.”.inc.php”;

This because $page has the invalid characters replaced, while $_REQUEST[’p’] hasn’t.

Regards,
Bart.

]]>