Jochem Maas wrote:
You don't need to basename() it, you already know what the filename is,
because it was requested via $_GET['file'].
I would say almost the opposite:
Let me rephrase: if you are properly validating the $_GET['file'] input
anyway, basenaming it is a superfluous step that may hide possible
attack attempts. Personally, I'd rather know if someone was messing
around with a parameter.
Cheers,
Rich
--
Zend Certified Engineer
http://www.corephp.co.uk
"Never trust a computer you can't throw out of a window"
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
