Okay, I was mistaken... There is a gaping security hole in my simple li'l
script... How do I modify it to only accept files from a certain path? I
want the url format to be script.php?call=1 where "1" is the called file in
the /includes/ directory. Just when I get optimistic I leave the entire
system exposed. Yeah, that fits with my luck. :-)

Kyrie Eleison,

Rick Beckman wrote:
> Sarcasm aside, I do have the script set up (although I didn't note so
> in the last response) to not accept files with '.' or '..' in the
> path. The URL can accept directories within the one the PHP script is
> in, but not in a different path or any directory above its own (i.e.,
> the server files).
> John W. Holmes wrote:
>>> I have a page set up that loads the contents of a text file into an
>>> HTML template using PHP. (i.e. something.com/page.php?include=1
>>> where "1" is a simple no-extension text file in the same directoy as
>>> page.php). Is there a
>>> way to modify the PHP code in the template page to search for the
>>> included page in another directory? Right now, the only way to do it
>>> is to have the URL as "page.php?include=files/1".
>>> Currently, here is the code I use to takes the $include URL variable
>>> and makes the file accessible in the template:
>>> $info = file($include);
>> Can I get the URL to your server, please, so I can pull up
>> page.php?include=/etc/passwd ?? Thanks, I would really appreciate
>> that.
>> But seriously, I really hope you are validating what $include is.
>> If you want the file to be included from a different directory, then
>> you have to pass some flag/variable to PHP to tell it where to look.
>> If you always want it to be in the same dir, then use
>> $info = file('files/' . $include);
>> ---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to