Ok so on this topic, I do something similar to this with my scripts, and if
my includes are vulnerable... I need to know how?
I have tested this and the includes parse the information as it includes it,
I can't see the code, so how is this possible where you say:
{
"If someone were to stumble upon your list.php script they would be able to
see your php code."
}
I have tested this pulling it from the server without parsing the file, I
only saw the html source with the include directory in it. Even if someone
was to get ahold of that the only variable is a "get" variable correct,
what's the difference from them having this information there or typing it
into a Web browser? And if they did try anything with that variable, I have
the script checking for valid input. Am I not safe in doing this?
Maybe I'm being nieve here, but I thought I had covered most of my bases
with this. Please explain where the security hole is! Anyone?....I'm still
learning and need to know the ins and outs of security for what I am
scripting.
Sorry for all the questions, but I'm truely concerned now....I'd like to
know if I have to find alternative solutions to my include issues.
TIA
Wolf
-----Original Message-----
From: Adam Bregenzer [mailto:[EMAIL PROTECTED]
Sent: Sunday, February 08, 2004 2:39 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [PHP] Re: Can I do this?
On Sun, 2004-02-08 at 03:18, John Taylor-Johnston wrote:
> Ah! A little experimenting ... Yes I can :) Answered my own question.
>
> include("http://elsewhere.com/list.php?number=$number";);
Careful with that. If someone were to stumble upon your list.php script
they would be able to see your php code. You would probably be better
off having a local copy of that file.
--
Adam Bregenzer
[EMAIL PROTECTED]
http://adam.bregenzer.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
