On Fri, March 30, 2007 8:18 am, Zoltán Németh wrote:
> actually I don't know what the problem is, but I would do it in a much
> shorter way:
>
> $pagename = $_GET['catcode'];
> if(file_exists("$pagename")) {
> include "$pagename";
> } else {
> include "404.php";
> }
You really ought to be filtering the $_GET data here...
http://example.com/categories.php?pagename=/etc/passwd
will pretty much blindly dump out a file you should not be exposing.
Also, as a matter of style:
"$pagename" is just kinda silly...
It takes a string and embeds it into a string with, err, nothing else,
and so you end up with the "same" string, only making PHP do extra
work to get there.
Actually, I suppose PHP might be smart enough to optimize this away...
But it looks silly, on the surface at least.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
