Outlook Express added a .dat extension to the "1" file... The actual files I'm working with do NOT have extensions. Just wanted to clear that up.
-- Kyrie Eleison, Rick www.spiritsword.com/phpBB2/ Rick Beckman wrote: > song.php is the file that I'm using as my template file, and it calls > information from the includes/ directory, which the file "1" would be > in. If someone would please look at song.php (I stripped it down to > the basics pretty much) and let me know the best and most secure way > to do what I want it to do. When finished, the includes directory > will have dozens of files (numbered 1 and up), as you can see from > the dropdown list in song.php . Thanks for the help. > > > Rick Beckman wrote: >> Okay, I was mistaken... There is a gaping security hole in my simple >> li'l script... How do I modify it to only accept files from a certain >> path? I want the url format to be script.php?call=1 where "1" is the >> called file in the /includes/ directory. Just when I get optimistic I >> leave the entire system exposed. Yeah, that fits with my luck. :-) >> >> >> Rick Beckman wrote: >>> Sarcasm aside, I do have the script set up (although I didn't note >>> so in the last response) to not accept files with '.' or '..' in the >>> path. The URL can accept directories within the one the PHP script >>> is in, but not in a different path or any directory above its own >>> (i.e., the server files). >>> >>> >>> John W. Holmes wrote: >>>>> I have a page set up that loads the contents of a text file into >>>>> an HTML template using PHP. (i.e. something.com/page.php?include=1 >>>>> where "1" is a simple no-extension text file in the same directoy >>>>> as page.php). Is there a >>>>> way to modify the PHP code in the template page to search for the >>>>> included page in another directory? Right now, the only way to do >>>>> it is to have the URL as "page.php?include=files/1". >>>>> >>>>> Currently, here is the code I use to takes the $include URL >>>>> variable and makes the file accessible in the template: >>>>> >>>>> $info = file($include); >>>> >>>> Can I get the URL to your server, please, so I can pull up >>>> page.php?include=/etc/passwd ?? Thanks, I would really appreciate >>>> that. >>>> >>>> But seriously, I really hope you are validating what $include is. >>>> >>>> If you want the file to be included from a different directory, >>>> then you have to pass some flag/variable to PHP to tell it where >>>> to look. If you always want it to be in the same dir, then use >>>> >>>> $info = file('files/' . $include); >>>> >>>> ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php