0

Hello everybody ;)

I have written a kind of css (pre)-processor in PHP, and it uses the GET-method to acces to the file:

HTML:

...
<link rel="stylesheet" href="css.php?file=style.css" />
...

PHP:

...$pss=file_get_contents("css/".$_GET["file"]);
...

My problem is now, if a user types something like "css.php?file=../index.php", he gets the source codes of every file on my server...

How can I prevent this? Is there a function that checks if a path has directory jumps or have i to use regular expressions?

Greetings,
Cobralf

2
Contributors
2
Replies
3
Views
6 Years
Discussion Span
Last Post by CobRalf
1

Yeah, this is a technique I came across about 5 years ago - I think the author called it dynamic css. It works really well, but it's easy to mess up - and security is a git.

You can place header text in your css files, which if absent (your php files, etc), prevents load. It could be something as innocuous as:

/*=========== CSS FILE ===========*/

OR, probably easier:

You should also check for the existence of the file under the css folder, with file_exists(), remembering to strip any ".." and "/" from the name.

0

Thank you, very nice tips ;)
I combined both of them.

#solved

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.