PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Okay first of all I use includes all the time but not in this manor.
I have a page where when a variable is passed I want to include a file. I have used the file.php?id=XX alot for grabing information from a DB. However now I want to include the $value.
In this case it is an html page that I want to include. When I first did this I did not use a DB but rather a crude work around. Like this
If accept articles I will do that. But for now I enter them all in and I only have to put the file name in there. No one else has access to this part but me. Thanks for the warning though. My next revision I will have to do that.
if using request-data (post/get/cookie/session) in any file or shell operation you must always check that there can be no manipulation of path, in general I would say that it is a lot smarter to allow what you expect instead of dissalow what you dont want, that way you are safe if there is something you didn't think about.. In some cases tho, it may be required to accept a single dot but not a double..