PHP Classes

bug found

Recommend this page to a friend!

      SimpleXML for PHP4  >  All threads  >  bug found  >  (Un) Subscribe thread alerts  
Subject:bug found
Summary:a possible exploit
Messages:1
Author:Saulius Okunevicius
Date:2010-02-18 09:40:32
 

  1. bug found   Reply   Report abuse  
Picture of Saulius Okunevicius Saulius Okunevicius - 2010-02-18 09:40:32
Hi, thanks for great peace of code.
Just to let you know that when there is text in XML document being parsed which looks like a PHP variable (i.e. $a) - it will be eval()'ed, thus throwing notices.
To fix this, replace line #50:

$this->evalCode .= '$this->result' . $temp . "=\"" . addslashes($value) . "\";//(" . $type . ")\n";

with this:

$this->evalCode .= '$this->result' . $temp . "= '" . addslashes($value) . "';//(" . $type . ")\n";

Thanks again.
Saulius