[snip] To prevent these attacks, it may be necessary to recode the site to use the include() and require() functions in a safe manner. [/snip]
>From http://www.php.net/include "If "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Appendix L for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope; the script is actually being run on the remote server and the result is then being included into the local script." "Example 16-7. include() through HTTP <?php /* This example assumes that www.example.com is configured to parse .php * files and not .txt files. Also, 'Works' here means that the variables * $foo and $bar are available within the included file. */ // Won't work; file.txt wasn't handled by www.example.com as PHP include 'http://www.example.com/file.txt?foo=1&bar=2'; // Won't work; looks for a file named 'file.php?foo=1&bar=2' on the // local filesystem. include 'file.php?foo=1&bar=2'; // Works. include 'http://www.example.com/file.php?foo=1&bar=2'; $foo = 1; $bar = 2; include 'file.txt'; // Works. include 'file.php'; // Works. ?> " -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
