Outlook Express added a .dat extension to the "1" file... The actual files
I'm working with do NOT have extensions. Just wanted to clear that up.

Kyrie Eleison,

Rick Beckman wrote:
> song.php is the file that I'm using as my template file, and it calls
> information from the includes/ directory, which the file "1" would be
> in. If someone would please look at song.php (I stripped it down to
> the basics pretty much) and let me know the best and most secure way
> to do what I want it to do. When finished, the includes directory
> will have dozens of files (numbered 1 and up), as you can see from
> the dropdown list in song.php . Thanks for the help.
> Rick Beckman wrote:
>> Okay, I was mistaken... There is a gaping security hole in my simple
>> li'l script... How do I modify it to only accept files from a certain
>> path? I want the url format to be script.php?call=1 where "1" is the
>> called file in the /includes/ directory. Just when I get optimistic I
>> leave the entire system exposed. Yeah, that fits with my luck. :-)
>> Rick Beckman wrote:
>>> Sarcasm aside, I do have the script set up (although I didn't note
>>> so in the last response) to not accept files with '.' or '..' in the
>>> path. The URL can accept directories within the one the PHP script
>>> is in, but not in a different path or any directory above its own
>>> (i.e., the server files).
>>> John W. Holmes wrote:
>>>>> I have a page set up that loads the contents of a text file into
>>>>> an HTML template using PHP. (i.e. something.com/page.php?include=1
>>>>> where "1" is a simple no-extension text file in the same directoy
>>>>> as page.php). Is there a
>>>>> way to modify the PHP code in the template page to search for the
>>>>> included page in another directory? Right now, the only way to do
>>>>> it is to have the URL as "page.php?include=files/1".
>>>>> Currently, here is the code I use to takes the $include URL
>>>>> variable and makes the file accessible in the template:
>>>>> $info = file($include);
>>>> Can I get the URL to your server, please, so I can pull up
>>>> page.php?include=/etc/passwd ?? Thanks, I would really appreciate
>>>> that.
>>>> But seriously, I really hope you are validating what $include is.
>>>> If you want the file to be included from a different directory,
>>>> then you have to pass some flag/variable to PHP to tell it where
>>>> to look. If you always want it to be in the same dir, then use
>>>> $info = file('files/' . $include);
>>>> ---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to