Validating user input in php
By appending a RAR archive to the end of a JPEG image, the file becomes a valid JPEG image and RAR archive. As such, PHP scripting can also be inserted into comment fields in many file formats.JPEG and GIF both have comment fields, as do most archive formats and other file formats with metadata.Speed up your development with Code Igniter, a fast and powerful PHP web application framework.Author Jon Peck shows how to build a magazine cataloging system while describing how to use a MVC (Model-View-Controller) framework like Code Igniter.For instance, the JPEG file format specifies start and end "magic numbers" to delimit where the image begins and ends (0x FFD8 and 0x FFD9).Content outside those markers is ignored when processing the file as a JPEG.We can send a Content-type header of "lol/wut" if we like, or "ilovemydoggy/heissocute" or even "hacknaked/bowtomyfirewallahh".It simply doesn't matter, and as such we can very easily satisfy the application with a Content-type header of "image/gif" despite the fact that we, as pen testers, are likely uploading a file using a "php" extension.
Here's a PHP script which takes a file upload and checks the file extension against a list of "bad" file extensions: That’s a nice try, but it won't work on Web sites where the server is set to execute any file other than those with the standard PHP file extensions.
You should avoid uploading files to a web-accessible folder with execute permissions enabled.
This will prevent uploaded files from being executed using the web server.
Starting with the what and why of Code Igniter, Jon introduces key concepts such as the MVC pattern and libraries by demonstrating how to create static pages, then storing and displaying magazine info in a database.
Advanced topics like classes and helpers are explored to validate user input, upload files, and much more.