Only is register_globals is on can that reset a variable. You are correct though, defining directory paths is safer. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Joseph Crawford wrote: > read up on register_globals. It is a security risk because if i do > http://domain.com/file.php?plugins_directory=/directory/ > > it can reset your variable. > > the best way to do that is to make PLUGINS_DIR a constant > > define('PLUGINS_DIR', '/directory/'); > > Joseph Crawford > > On Sep 23, 2008, at 12:58 PM, michael wrote: > >> I get an error stating that this line in my code is a security risk >> when I code it. >> >> require_once($PLUGINS_DIRECTORY."forum/forum.php"); >> >> here is what the explanation is: >> >> include() or analogous is used with variable argument this can be >> dangerous since variables are in many cases controlled by remote users. >> >> the recommended soloution is to write it this way >> >> define('SCRIPT_PATH',"/htdocs"); >> include ('sSCRIPT_PATH."/Foo.inc"); >> >> my question is why is the other way safer? im kinda confused.. >> >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
