BioRUST Forums - View Single Post

BlodoPKNZ · 02-26-2005

To speak you the truth, i dont see a problem. BTW your php code kinda sucks for updating, you could always do it like this preferably:

Code:

$site_main = 'home.php';
if (!$_GET['p']) {
include($site_main);
} else {
$incfile = $_GET['act'] . '.php';
if (file_exists( basename( $incfile ) )) { 
include($incfile);
} else {
include($site_main);
}
}

I only constructed this code now though, but it works i can assure you.

The basename func doesnt allow the address to be screwed into displaying data from a different folder, also the script checks if the file exists (if it doesnt it just displays $site_main). If youre handy you can even add a preg_match to check for a 'www' or a 'http' in the string so as to prevent using data from another server by a user maliciously or strip up the html and slashes.
Although he probably wont get far with the folder restriction in place.

02-26-2005	#7 (permalink)
BlodoPKNZ Red Dawn Join Date: May 2004 Location: Eastern Europe Posts: 302	To speak you the truth, i dont see a problem. BTW your php code kinda sucks for updating, you could always do it like this preferably: Code: $site_main = 'home.php'; if (!$_GET['p']) { include($site_main); } else { $incfile = $_GET['act'] . '.php'; if (file_exists( basename( $incfile ) )) { include($incfile); } else { include($site_main); } } I only constructed this code now though, but it works i can assure you. The basename func doesnt allow the address to be screwed into displaying data from a different folder, also the script checks if the file exists (if it doesnt it just displays $site_main). If youre handy you can even add a preg_match to check for a 'www' or a 'http' in the string so as to prevent using data from another server by a user maliciously or strip up the html and slashes. Although he probably wont get far with the folder restriction in place. __________________