Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Insert a variable into an include path??

  1. #11
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    642
    Thanks
    284
    Thanked 15 Times in 15 Posts

    Default

    Dear Jas: I finally found time to get back to this and it worked perfectly the way you explained it. Thank you so much! I was making it much more complicated than it actually was. I use this technique quite often so now can do it in a much simpler way. Thanks again. erin

  2. #12
    Join Date
    Jul 2008
    Posts
    199
    Thanks
    6
    Thanked 58 Times in 57 Posts

    Default

    If you are ever include things like that with $_GET, make sure to sanitize it first. A rouge user would be able to include other files from your site that you don't want them to see.

    Just a word of warning.

  3. The Following User Says Thank You to techietim For This Useful Post:

    kuau (07-01-2008)

  4. #13
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    642
    Thanks
    284
    Thanked 15 Times in 15 Posts

    Default

    Dear tt: Actually I'm not using $_GET, just include($filename). Please explain how someone could include files from my site.. I'm not sure what to protect against. Thanks. I may be a bit oblivious to what creepy people are trying to do and why.

  5. #14
    Join Date
    Jul 2008
    Posts
    199
    Thanks
    6
    Thanked 58 Times in 57 Posts

    Default

    Say you had a htaccess protected page named users/secretstuff.txt

    And lets also say that index.php would include anything in $_GET['hello']. A user could go to example.org/index.php?hello=users/secretstuff.txt and see the contents of that text file, would would be very horrible.

  6. The Following User Says Thank You to techietim For This Useful Post:

    kuau (07-01-2008)

  7. #15
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    642
    Thanks
    284
    Thanked 15 Times in 15 Posts

    Default

    I went back to the beginning of this post and now I see what you are talking about -- providing too much information in the query string visible in the address bar. Yeah, I can see how that would be dangerous. I'm not doing anything like that, just including different headers etc, but thanks for the warning.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •