PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
<?php
// this is if the variable isnt specified, itll set the variable to your intro/main page.
if (!$pageid) {
$pageid = "main";
$include = $pageid . ".htm";
}
else {
$include = $pageid . ".htm";
}
if (is_file($include) == "1") {
include $include;
}
else {
// if the file doesnt exist, itll include the error page
include "404.htm";
}
?>
and use [php_man]basename[/php_man] to remove possible file path passed by the user. As of PHP 5.0 ftp wrapper supports stat functionality, so if I pass "ftp://my.server/path/to.file" your script would include ftp://my.server/path/to.file.htm and execute it on your server as if it was local file
heh, that script isnt too secure... as weirdman said... some one can force php code to be executed on your server and pretty much delete all your files if they wanted.
and use [php_man]basename[/php_man] to remove possible file path passed by the user. As of PHP 5.0 ftp wrapper supports stat functionality, so if I pass "ftp://my.server/path/to.file" your script would include ftp://my.server/path/to.file.htm and execute it on your server[/b] as if it was local file
Last edited by John Cartwright on Tue Nov 09, 2004 8:04 pm, edited 2 times in total.
That would prevent a user from includeing something off their site but some one could still do ../../../../password or something and read out some of your own files
get rid of any characters that are non a-z or 0-9, do the path/on/server thing too
a switch is always more secure then putting a variable into an include(); ... just depends on how many files there are to include, obviously you would not write a switch for 300 files..
$include_root = '/path/to/your/site/modules/'; // user can include anything under this dir and its subdirs
$module = realpath($include_root . $_GET['module']);
if( ( substr($module, 0, strlen($include_root) != $include_root ) ) || !file_exists($module) )
die("Break-in attempt.");
else
include $module;