> It's late, I've had a couple of beers, and in the morning I'll spend some
> effort trying to imagine such issues. In the mean-time I'd welcome any
> real-life examples.
::start.php::
<?
$auth = "/path/passwds";
include "header.php";
?>
::header.php::
<?
$fp = fopen($auth,'r');
...
?>
When header.php is included in the context of start.php then $auth is
perfectly initialized and there is no security problem. However, if you
allow people to execute header.php by itself, they could do:
http://www.your_domain.com/header.php?auth=/etc/passwd
And you could have a problem on your hands.
> To my mind, you've two basic contexts: common functions & static data.
> It's pointless in naming one .php and the other .inc; it means nothing to
> the program (whereas in C if you switch around the *.c & *.h; yea verily,
> your Makefile will care).
To me it isn't pointless at all as it identifies files that are meant to
be accessed directly versus ones that aren't.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
