Home/ Questions/Q 262235
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T22:29:55+00:00

I’m a beginner with PHP security issues. Someone reported a security issue with my

  • 0

I’m a beginner with PHP security issues. Someone reported a security issue with my code, but never gave details.

Below is a condensed version of the code. I’m using the JQuery AJAX function to send some data to the server where it’s used by the PHP scandir() function.

Do you see any security issues?

HTML Document

 <script 
   src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js">
 </script>
 <script>
$.ajax({
    type: "POST",
    url: "example.php",
    cache: false,
    data: {
        foo: "images",
        bar: "something else",
            },
    success: function(html){
    alert(html);
    }
});
</script>

PHP Document

<?php

$foo = filter_var($_POST["foo"], FILTER_SANITIZE_STRING);
$bar = filter_var($_POST["bar"], FILTER_SANITIZE_STRING);

$foo = scandir($foo);
$bar = (explode(",",$bar));

foreach ($foo as $a) {
    echo "<img src='$foo/$a'>";
}

?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, I can enumerate every file on your machine. And possibly other machines that your server has access to via fopen wrappers. This information can help identify other vulnerable software running or sensitive files, in order to help me target further attacks.

    FILTER_SANITIZE_STRING is designed to protect HTML, not file path references, so it really isn’t helping you here. You should only use that as an output filter to the generated HTML and not when using a backend function.

    You want to restrict uses of dangerous path tokens like :, @, .., \ and /. But do this by whitelisting the characters or values that you consider safe, as in Tom Haigh’s example code.

    • 0