PHP Classes

Security

Recommend this page to a friend!

      Handle Binary Files With PDO  >  All threads  >  Security  >  (Un) Subscribe thread alerts  
Subject:Security
Summary:Validation/eval
Messages:3
Author:Till Wehowski
Date:2018-01-23 03:31:04
 

  1. Security   Reply   Report abuse  
Picture of Till Wehowski Till Wehowski - 2018-01-23 03:31:04
I did not check your package on security aspects but I think this part

header("Content-Type: $type");
if(is_string($header)) eval($header);
echo $lob;

you have to overthink, not just because eval is often called ever beeing evil what is in my opionion unjustifiably, but your eval in this case is completly unnecessary!
You are already using the header function for your content-type header, why that "eval($header)"?

You could and should add some possibillities to implement checks on userinput, (maybe it is out of the scope of your package)?

I suggest to "echo" metadata in an serialized format and let the implemetation render the file contents.

...
But however, keep it up coding you will get better!

  2. Re: Security   Reply   Report abuse  
Picture of zinsou A.A.E.Moïse zinsou A.A.E.Moïse - 2018-01-23 06:20:52 - In reply to message 1 from Till Wehowski
thanks for these improvements suggestions.I will keep note of them.And thanks also for your encouragement.I think all the more.

regards

  3. Re: Security   Reply   Report abuse  
Picture of zinsou A.A.E.Moïse zinsou A.A.E.Moïse - 2018-01-23 06:36:07 - In reply to message 1 from Till Wehowski
for the eval($header)...I have the same opinion as it is dangerous but as you may see $header is a portion that programer could wish to add under header("Content-Type: $type"); something else(example :'
header('Content-Disposition: attachment; filename="downloaded.pdf"');
) as i just write the mime-type here.