PureBasic Forums - English

Thanks, I'll have a play with that. All of PHP is new to me so it's all good learning fodder, ugly or not.

netmaestro wrote:Thanks, I'll have a play with that. All of PHP is new to me so it's all good learning fodder, ugly or not.

It shouldn't matter that you're not as good looking as I Netty, php is for all.

Mind you, I do look like a mule!

Nituvious wrote:You can use ereg_replace to remove any possibility for directory transversal.

Actually, it's best practice to never use "include" with an instance where the path is obtained from user-editable input. For example: '$_GET["page"]'.

Even though you may think that you've parsed it safely, there may be ways around that.

Mistrel wrote:

Nituvious wrote:You can use ereg_replace to remove any possibility for directory transversal.

Actually, it's best practice to never use "include" with an instance where the path is obtained from user-editable input. For example: '$_GET["page"]'.

Even though you may think that you've parsed it safely, there may be ways around that.

True, I don't like using Include because of the possible exploits. I have allow_url_include turned off, so it "may" be a little safer for my tiny website. I used fopen before, but it became more troublesome but keep in mind I have only used php for about 6 months so, I'm still new to it!

It doesn't really matter if you turn off allow_url_include. The point is that they can "include" private areas of your website such as config files, .htaccess, etc. The most dangerous part is potentially including a PHP file in such a way that the actual page contents gets displayed. Hence, just "don't do it".