Gehe zu deutscher Webseite

ViaThinkSoft CodeLib

This article is in:
CodeLibProgramming aidsPHP

<?php

$x 
'<!DOCTYPE scan [<!ENTITY test SYSTEM "/etc/passwd">]><scan>&test;</scan>';

// Unsafe:
libxml_disable_entity_loader(false);
$xml simplexml_load_string($x'SimpleXMLElement'LIBXML_NOENT);
var_dump($xml);

// Safe:
libxml_disable_entity_loader(true);
$xml simplexml_load_string($x'SimpleXMLElement');
var_dump($xml);


Summary: If you use simplexml_load_string in the "normal" way (i.e. without LIBXML_NOENT), you are safe.
Please note that LIBXML_NOENT is enabling loading foreign entries. The name is very misleading!
Daniel Marschall
ViaThinkSoft Co-Founder

Feedback? Problems? Please drop us a message!

Your name (optional):

E-mail address (optional):

Message: