On 28.04.2016 at 17:38, Jason Pruim wrote: > $position = htmlentities($_POST["selPosition"], ENT_QUOTES); > > echo "/includes/".$position.".inc"; > > So the file exists in /includes/LES.inc and it populates it properly. I've > tried echo, I've tried include"/includes/".$position.".inc"; and I can't > figure out what I'm missing... As Stuart already said: you have to use a valid path (./includes/... would do). Anyway, the bigger problem is that the code appears to have a file inclusion vulnerabilty; consider somebody posts something like &selPosition=../../etc/passwd. So ideally you'll want to check the posted selPosition against a whitelist of allowed files, or at least you'll want to make sure that there's no directory traversal possible. -- Christoph M. Becker -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
