Hello Marek,
Thanks for the answer, but i think you misunderstood me because of my
bad english. What i mean is the people with that code can access and
view files on any place on my server and see the passwords stored in
some files, decode them, and do stuff like that. I wanted to know how
to prevent that from happening? If the people make file like this, how
to protect myself so they could not view the /etc/passwd file?
Thursday, July 10, 2003, 5:13:33 AM, you wrote:
MK> Mantas Kriauciunas wrote:
>> The problem is
>> if the make script <? if($id) include($id); ?>
>> and then just write
>> test.php?id=/etc/passwd , they see all the file.
MK> Check if $id is valid. Exact way depends on the structure of the files.
MK> Example 1: All included files are in web root and are named
MK> something.html, something can contain letters, underscore, digits.
MK> if($id && eregi('^[a-z0-9_]+\.html',$id)) include($id);
MK> Example 2: The included files split into several directories, which can
MK> contain letters, underscore, digits.
MK> if($id && eregi('^[a-z0-9_]+/[a-z0-9_]+\.html',$id)) include($id);
MK> Sure, this assumes you have nothing to hide in your *.html files.
>>
>> So how to make sure that no one can access other people files and
>> server files? and is there any way that nobody would be able to
>> download php files or how to make them look like code when they are
>> downloaded. Thanks!
>>
>> P.S If someone knows good links please reply me! thanks a lot!
>>
>> ---Don't Get Mad, Ged Glad , Buy Gladware---
>>
--
Best regards,
Mantas mailto:[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
