PHP's include function is really handy. You can use it to include any file content directly into your PHP page. But it can be a huge security vulnerability. You see, you can also include content from any web page using the standard URL. This means you can include content from another site. In turn, it means if you are not careful, a hacker could exploit it by executing their PHP scripts on your server using your include function. It's too easy to write the following lines:
$file = $_GET ["file"];
A hacker can easily type in an URL and execute a PHP script on your server. The solution? Use a safer include function, such as the following:
function safeInclude ($filename)
You can go one step further by stripping out the URL:
$filename = ereg_replace ("http:\/\/.*\/", "", $filename);
Did your message disappear? Read the Forums FAQ.
Spam Control | * indicates required field
TrackBack only accepted from WebSite-X Suite web sites. Do not submit TrackBacks from other sites.
No TrackBacks yet. TrackBack can be used to link this thread to your weblog, or link your weblog to this thread. In addition, TrackBack can be used as a form of remote commenting. Rather than posting the comment directly on this thread, you can posts it on your own weblog. Then have your weblog sends a TrackBack ping to the TrackBack URL, so that your post would show up here.
Messages, files, and images copyright by respective owners.
317 Users Online
Copyright © 1996 - 2023. All Rights Reserved.