Merlin wrote:
I am wondering if I am opening a potential security risk by
including files on remote servers. I am doing an include ('http:/www.server.com/file.html') inside a php script of mine to seperate content from function. Content is produced by a friend of mine and
I do not want to grant access to my server to him.

Yes, your friend (or anyone who compromises his server, who may very well *not* be friendly :) can output any PHP code he likes from that URL, and your server will execute it.

Not Good(tm).

You could do:

| echo file_get_contents( 'http://www.server.com/file.html' );

but only if you really trust his server to never get compromised, as that would allow an attacker to replace content on your website with anything they liked.

Jasper

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to