rasmus, if password.inc is being parsed by php then how would you get the
code??? won't it just be a blank page??? oh i thought up one more ...
4. checking for html tags and php scripting when accepting data from text
boxes
Rasmus Lerdorf wrote:
> > hi i found it very helpful to know about hacks such as the below list
> > and was wondering if anyone had any more dumb mistakes they could tell
> > us before we make them.
> >
> > 1. http://www.somesite.com/source.php3?url=/etc/passwd
> > 2. http://www.somesite.com?page=../../../../etc/passwd
> > 3. not setting .inc files to be parsed by php
>
> This is the wrong solution to securing include files. The correct
> solution is to block any direct access to .inc files by either putting
> them outside your document root or by using an Apache deny rule.
>
> -Rasmus
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
