Use realpath() to check the path. I also suspect your script is 
vulnarable to cross-site includes (include('');)

Rick Beckman wrote:

>Okay, I was mistaken... There is a gaping security hole in my simple li'l
>script... How do I modify it to only accept files from a certain path? I
>want the url format to be script.php?call=1 where "1" is the called file in
>the /includes/ directory. Just when I get optimistic I leave the entire
>system exposed. Yeah, that fits with my luck. :-)

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to