Re: Re: Orthogonal Code and Security

While more flexible, the .htaccess approach is intrinsically riskier than Ovid's, because you must pass a directory or file derived from untainted user data to a system call (ie. opendir, or open). This means you have to carefully consider all classes of valid input versus invalid and potentially dangerous input. From a security perspective, it's preferable to have a simple mapping of user input to prearranged file locations.

   MeowChow                                   
               s aamecha.s a..a\u$&owag.print

Comment on Re: Re: Orthogonal Code and Security

Replies are listed 'Best First'.
(kudra) Re(3): Orthogonal Code and Security by kudra (Vicar) on May 03, 2001 at 12:59 UTC
Hmm, I saw that suggestion working in a different manner: searching directories (either on the fly or updating at intervals depending on number of directories and how rapidly the system needs to respond to changes), and building a paths data structure from that, which could then be used to verify the user-input as in Ovid's example.	[reply]