PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
hob_goblin
Forum Regular
Posts: 978 Joined: Sun Apr 28, 2002 9:53 pm
Contact:
Post
by hob_goblin » Sat May 18, 2002 10:40 pm
my website has a loophole that lets anyone include any file they want into my little content window,
Code: Select all
echo "$content";
if(isset($f2inc)){
include($f2inc);
}
is what i have now, anybody know what I could do to check that "$f2inc" is a file on my server?
EvilWalrus
Site Admin
Posts: 209 Joined: Thu Apr 18, 2002 3:21 pm
Location: Springmont, PA USA
Post
by EvilWalrus » Sat May 18, 2002 11:25 pm
file_exists() and is_file() should help you
hob_goblin
Forum Regular
Posts: 978 Joined: Sun Apr 28, 2002 9:53 pm
Contact:
Post
by hob_goblin » Sat May 18, 2002 11:49 pm
i know about file_exists() and is_file(), i just want to make sure that it is on MY server, not for instance...yahoo, or something
jason
Site Admin
Posts: 1767 Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:
Post
by jason » Sat May 18, 2002 11:53 pm
hob_goblin wrote: i know about file_exists() and is_file(), i just want to make sure that it is on MY server, not for instance...yahoo, or something
Actually, you don't know about file_exists().
Read
http://ca.php.net/manual/en/function.file-exists.php and in particular, the part that says this:
This function will not work on remote files; the file to be examined must be accessible via the server's filesystem
volka
DevNet Evangelist
Posts: 8391 Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger
Post
by volka » Sun May 19, 2002 7:09 am
you also know the path of your script. Just make sure the requested file is somewhere in this path (or a subdirectory ... or ... or ...)
and if you let them upload files you may use
is_uploaded_file and
move_uploaded_file to move these files to a valid directory in your webspace
hob_goblin
Forum Regular
Posts: 978 Joined: Sun Apr 28, 2002 9:53 pm
Contact:
Post
by hob_goblin » Sun May 19, 2002 1:16 pm
heh you make me feel so stupid, I've only used file_exists() to prompt a script to overwrite or rename a file... I never read that much into it