Skip to content
Browse files

Added another major PHP security issue in their example code.

  • Loading branch information...
1 parent b11ba86 commit 3c5bdd2a5235008c30a981a02f6a7ce43b8e8855 @ss23 ss23 committed
Showing with 10 additions and 0 deletions.
  1. +10 −0 index.html
10 index.html
@@ -1330,6 +1330,16 @@ <h1 id="intervention"><b>W3Schools</b> An Intervention</h1>
attacks and should never have been posted. It contravenes every best practice.
+ <li id="php_file_upload">
+ <a href="#php_file_upload" class="wrap">#</a>
+ <a href="" rel="nofollow" class="w3s-link"></a>
+ <blockquote><pre><code>move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $_FILES["file"]["name"]);</code></pre></blockquote>
+ <p>
+ Anyone could upload a file with a name like "../hacked.php", and PHP would happily write it.
+ It is not okay to do no validation on a file upload, this is a massive security risk
+ </p>
+ </li>
<li id="specs">
<a href="#specs" class="wrap">#</a>

0 comments on commit 3c5bdd2

Please sign in to comment.
Something went wrong with that request. Please try again.