<?php
$c = $_GET["c"];
if ($c != "") { include($c); } else { include("content1.php"); }
?>
The code is very unsafe, you include and execute any file, even remote if enabled in php.ini. You should use realpath() and substr() to check if the variable realy points to pkPatterns/ directory. Then check the file extension using pathinfo() and return apropriate Content-type header.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
