Then you can have SQL injection attacks, too! :)

I don't know enough about PHP, but I would double check that doing
something like  \/ (escaped forward-slash) doesn't get around that code.
It doesn't look like it would though.

> -----Original Message-----
> From: tclug-list-bounces at mn-linux.org 
> [mailto:tclug-list-bounces at mn-linux.org] On Behalf Of Matt Murphy
> Sent: Friday, March 05, 2004 10:22 AM
> To: 'TCLUG Mailing List'
> Subject: RE: [TCLUG] Attack
> 
> 
> > Can you build a dictionary list corresponding to the
> > filenames so that the visible URL that people see is 
> > something like 
> > "http://domain.tld/location/FISH4310PREL2Q0OU"> , or submit the 
> > form variable as the hash.  Then find the 
> > file based on the hash...?
> 
> 	Ack, now I see what you were doing... Store your files 
> in a database!!!
> 
> Matt


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list