programmer@xxxxxxxxxxxxxxx wrote:
Building on your patch you'd want to incorporate basename(). You never want to accept directory traversal attempts into variables.Patch: } elseif (isset($lang)) { if (eregi('[A-Za-z]', $lang)) { if (file_exists("language/lang-".$lang.".php")) { include_once("language/lang-".$lang.".php"); $currentlang = $lang; }else { include_once("language/lang-english.php"); $currentlang = "english";} }else {include_once("language/lang-english.php"); $currentlang = "english"; } } else { ///////////////////////////////////////////////////////////////////////////////////////////////// Best Regards Aleksandar Programmer and Web Developer ///////////////////////////////////////////////////////////////////////////////////////////////
Paul Laudanski, CastleCops http://www.linkedin.com/pub/1/49a/17b Submit Phish: www.castlecops.com/pirt www.castlecops.com | de.castlecops.com | wiki.castlecops.com
