Member Avatar for CobRalf

Hello everybody ;)

I have written a kind of css (pre)-processor in PHP, and it uses the GET-method to acces to the file:

HTML:

...
<link rel="stylesheet" href="css.php?file=style.css" />
...

PHP:

...$pss=file_get_contents("css/".$_GET["file"]);
...

My problem is now, if a user types something like "css.php?file=../index.php", he gets the source codes of every file on my server...

How can I prevent this? Is there a function that checks if a path has directory jumps or have i to use regular expressions?

Greetings,
Cobralf

Member Avatar for diafol

Yeah, this is a technique I came across about 5 years ago - I think the author called it dynamic css. It works really well, but it's easy to mess up - and security is a git.

You can place header text in your css files, which if absent (your php files, etc), prevents load. It could be something as innocuous as:

/*=========== CSS FILE ===========*/

OR, probably easier:

You should also check for the existence of the file under the css folder, with file_exists(), remembering to strip any ".." and "/" from the name.

Member Avatar for CobRalf

Thank you, very nice tips ;)
I combined both of them.

#solved

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.