all my include files are *.inc, and I have a .htaccess file that makes
apache refuse to serve those files directly thru http.


on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote:

> erm......would that alow hackers access? Say I have a database include file
> would hackers be able to get access to my database like this?
> (include('');)
> I hope bloody not!!! if so how on earth do i get round that!
> John
> On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote:
>> Use realpath() to check the path. I also suspect your script is
>> vulnarable to cross-site includes
>> (include('');)
>> Rick Beckman wrote:
>>> Okay, I was mistaken... There is a gaping security hole in my simple li'l
>>> script... How do I modify it to only accept files from a certain path? I
>>> want the url format to be script.php?call=1 where "1" is the called file
>>> in the /includes/ directory. Just when I get optimistic I leave the
>>> entire system exposed. Yeah, that fits with my luck. :-)
> --
> PHP General Mailing List (
> To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to