Re: [phpesp-dev] Survey Publishing

[James E. F. <jf...@ac...>]

On Thu, 28 Mar 2002, Matthew Gregg wrote:

> I need a way for users to publish their surveys that doesn't require
> the user or the administrator to create a php include.
> It can be very simple to start with, but I could see adding a user
> definable CSS as an easy addition, before we make the transition into
> XML/XLT.
>
> I understand the risks of accepting "tainted" user input.
> So what's wrong with this:
> <?php $sid=intval($id); include("/blah/public/handler.php");?>
>
> $id has been "un-tainted" with intval.

That is fine. The only issue is of course that people (web
users) can try different id's -- that is not necessarily a
problem, I just wanted to keep the SID hidden from the
user. But as you may have noticed, I handled the "test.php"
on the demo site the way you suggested above. In fact here
is the actual code:

<?php
        $my_sid = $HTTP_GET_VARS['sid'];
        unset ($HTTP_GET_VARS['sid']);
        $sid = intval($my_sid);

        $my_res = $HTTP_GET_VARS['results'];
        unset ($HTTP_GET_VARS['results']);
        $results = $my_res;

        echo ("<tt>sid = $sid</tt><hr>\n");
        include('handler.php');
        echo ("<hr>\n");

        if (isset($errmsg))
                echo $errmsg;
?>

Note that the handler will give a "Security violation" if
either $HTTP_GET_VARS['sid'] or $HTTP_GET_VARS['results']
is set.

-James