info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-24 06:03:14 +02:00
Code Issues Projects Releases Wiki Activity

Added security information about handling null bytes.

Browse Source
This commit is contained in:
Jamie York
2012-07-12 12:32:51 -06:00
parent 05a8393d94
commit f59f236333
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
_posts/07-05-01-Null-Bytes.md Normal file
View File

@@ -0,0 +1,18 @@
---
isChild: true
---
## Null Bytes
A null byte `\0` denotes the end of a string in [C](http://en.wikipedia.org/wiki/C_(programming_language)). As PHP uses C for all it's
filesystem related operations it means a filesystem path could be [null byte poisoned][2].
To prevent this it is important to remove any null bytes from filesystem paths, _especially_ if they come from user input:
$filepath = str_replace(chr(0), '', $_FILE['tmp_name']);
[See Null Byte Related Issues][1]
[See Null Byte Poisoning][2]
[1]: http://php.net/manual/en/security.filesystem.nullbytes.php
[2]: http://www.madirish.net/?article=436