Senior Coders
Dear Jas: I finally found time to get back to this and it worked perfectly the way you explained it. Thank you so much! I was making it much more complicated than it actually was. I use this technique quite often so now can do it in a much simpler way. Thanks again. erin
Regular Coders
If you are ever include things like that with $_GET, make sure to sanitize it first. A rouge user would be able to include other files from your site that you don't want them to see.
Just a word of warning.
kuau (07-01-2008)
Senior Coders
Dear tt: Actually I'm not using $_GET, just include($filename). Please explain how someone could include files from my site.. I'm not sure what to protect against. Thanks. I may be a bit oblivious to what creepy people are trying to do and why.
Regular Coders
Say you had a htaccess protected page named users/secretstuff.txt
And lets also say that index.php would include anything in $_GET['hello']. A user could go to example.org/index.php?hello=users/secretstuff.txt and see the contents of that text file, would would be very horrible.
kuau (07-01-2008)
Senior Coders
I went back to the beginning of this post and now I see what you are talking about -- providing too much information in the query string visible in the address bar. Yeah, I can see how that would be dangerous. I'm not doing anything like that, just including different headers etc, but thanks for the warning.
Posting Permissions
Reply With Quote
Bookmarks