[PHP] Re: How far out of practice am I? Look inside to find out!
- Date: Fri, 29 Apr 2016 14:43:06 +0200
- From: Christoph Becker <cmbecker69@xxxxxx>
- Subject: [PHP] Re: How far out of practice am I? Look inside to find out!
On 28.04.2016 at 17:38, Jason Pruim wrote:
> $position = htmlentities($_POST["selPosition"], ENT_QUOTES);
> echo "/includes/".$position.".inc";
> So the file exists in /includes/LES.inc and it populates it properly. I've
> tried echo, I've tried include"/includes/".$position.".inc"; and I can't
> figure out what I'm missing...
As Stuart already said: you have to use a valid path (./includes/...
Anyway, the bigger problem is that the code appears to have a file
inclusion vulnerabilty; consider somebody posts something like
So ideally you'll want to check the posted selPosition against a
whitelist of allowed files, or at least you'll want to make sure that
there's no directory traversal possible.
Christoph M. Becker
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php