I recently added urlencode() to the invocation of $_GET variables in each of 11 photos.php files. That solved the problem of vulnerability to code-injection attack, but as one of the variables was a pathname, the "/" characters were encoded and thus when that argument was passed on, the encoded path of course failed. I added a function to unencode just the slash characters and passed the urlencoded path to it, thus returning a path in which all potentially dangerous characters other than the "/" are still escaped. That should make the page useable and secure.
This entry was posted by and filed under Activity log.