Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paul Jones' Blog:
When Possible, Use File *Resources* Instead Of File *Names*
Jul 04, 2012 @ 19:10:49

In this new post to his blog Paul Jones makes a suggestion when you're working with files or external connections in your PHP applications - pass the resource, not the file/path name for more flexibility.

In testing the Aura.Http package, I have realized that it’s much more flexible, testing wise, to pass around file resources (a.k.a. handles, pointers, or streams) than it is to pass around file names. When you do that, you can use a php://memory stream instead of attempting to touch the file system.

He shows how using this method can make it easier to test with a simple bit of refactoring by passing in the "php://memory" stream rather than the actual file reference. The comment (from Chris Hartjes) also suggests an alternative tool for working with tests that need the file system, vfsStream.

tagged: file resource filename opinion unittest phpmemory stream

Link:

DZone.com:
File Path Injection in PHP <= 5.3.6 File Update (CVE 2011-2202)
Jun 21, 2011 @ 13:44:02

On DZone.com's PHP on Windows section today Krzysztof Kotowicz has a new post talking about a file path injection exploit in PHP versions lower than 5.3.6.

Since the thing went public before new PHP version has been released, I present full details of the latest PHP vulnerability I reported - together with some sweet demo exploit. The issue was found with fuzzing being part of my recent file upload research. And I still have some more to show in the future :)

The issue, described in more detail here on bugs.php.net (as of the time of this post, unfortunately unavailable) and his code to reproduce the issue is here. Due to a bug in the code that should strip down the upload to just the filename, certain kinds of file paths can make it through. The real problem comes in when an application blindly uses this filename to write to, possibly overwriting important files. You can see a screenshot of it in action here.

tagged: file path injection bug filename

Link:

Tobias Schlitt's Blog:
My first patch to PHP
Jul 20, 2006 @ 01:00:38

Tobias Schlitt mentions today in his latest post about his first patch to PHP, an update to the pathinfo function's code being commited.

Hehe, some might say, that those 10 lines of C code are not even worth calling it a patch. Especially, since it was mostly copy and paste work and since Christian Schneider also adviced me for some improvement. Anyway, Marcus just commited my enhancement to pathinfo(), which adds a new field "filename" to the returned array of path elements.

His patch adds a much needed output parameter to the pathinfo function's results - filename. He talks briefly about the process of making the change and how long it took him on the first shot (2 hours), but now his hard work has paid off. The update will be a part of PHP 5.2.

tagged: patch first pathinfo filename output parameter patch first pathinfo filename output parameter

Link:

Tobias Schlitt's Blog:
My first patch to PHP
Jul 20, 2006 @ 01:00:38

Tobias Schlitt mentions today in his latest post about his first patch to PHP, an update to the pathinfo function's code being commited.

Hehe, some might say, that those 10 lines of C code are not even worth calling it a patch. Especially, since it was mostly copy and paste work and since Christian Schneider also adviced me for some improvement. Anyway, Marcus just commited my enhancement to pathinfo(), which adds a new field "filename" to the returned array of path elements.

His patch adds a much needed output parameter to the pathinfo function's results - filename. He talks briefly about the process of making the change and how long it took him on the first shot (2 hours), but now his hard work has paid off. The update will be a part of PHP 5.2.

tagged: patch first pathinfo filename output parameter patch first pathinfo filename output parameter

Link:


Trending Topics: