Mantas Kriauciunas wrote:


 The problem is
 if the make script <? if($id) include($id); ?>
 and then just write
 test.php?id=/etc/passwd , they see all the file.
Check if $id is valid. Exact way depends on the structure of the files.
Example 1: All included files are in web root and are named something.html, something can contain letters, underscore, digits.
if($id && eregi('^[a-z0-9_]+\.html',$id)) include($id);


Example 2: The included files split into several directories, which can contain letters, underscore, digits.
if($id && eregi('^[a-z0-9_]+/[a-z0-9_]+\.html',$id)) include($id);


Sure, this assumes you have nothing to hide in your *.html files.


So how to make sure that no one can access other people files and server files? and is there any way that nobody would be able to download php files or how to make them look like code when they are downloaded. Thanks!

P.S If someone knows good links please reply me! thanks a lot!

---Don't Get Mad, Ged Glad , Buy Gladware---



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to