--- [EMAIL PROTECTED] wrote: > It does (http://php.net/eval) but use extreme caution since this could be > abused very easily with some nasty results. > > James > --------------------------- > Thanks James, > I looked at eval() and it is a bit scary so I decided > to parse on the way in rather than the way out. Please let me know if there > is a problem with this. > > example - > > if($file_extention == ".php") > { > object_start(); > include($file); > return object_get_clean(); > } > else > { > return file_get_contents($file); > } > > Thanks, Rob.
I would check to see if file_exists($file) is true. If not, someone is probably trying to sneak in a CLI command along with the file processing. In fact, you probably don't want to have anything which looks like a filename or a real path at all but rather a number which can be looked up in a table to get the content (either another path or the actual content). Remember that PHP can reach into almost any part of the server filesystem (with correct permissions and ownership) so you don't have to locate your CMS files in the document root. You can create a handler script which makes sure the request comes from a logged-in user and pull files from outside the filesystem the web server can normally get to. James
